Active and Passive FTP Transfers Defined - KB Article #1138Related Articles -- 2091, 2100
FTP and FTPS both use multiple connections to perform file transfers. The first "control" connection is always made to a defined TCP port such as 21 or 990 but all directory listing and file transfer data is passed through additional "data" connections.
Passive (or "Firewall Friendly") Mode
In "passive" mode (a.k.a. "PASV"), both control and data connections are made from your FTP client to the FTP server. In firewalled deployments, all connections are made from the Internet to the server (rather than from the server back to the Internet), so passive mode is also known as "firewall friendly" mode in some products.
"Active" mode is how FTP originally worked, and it is still supported (and occasionally required) by many servers. In active mode, the control connection is made from the FTP client but all data connections are made from the FTP server to the FTP client. (Yes, back the other way.) In order for this to work, you usually need either no firewalls or firewalls that understand the FTP protocol and can dynamically open ports between clients and servers that look like they are performing ACTIVE mode FTP transfers.
Recommended Transfer Mode
You should always try to use passive mode, and only use active mode if a legacy deployment absolutely requires it. Fortunately, most modern clients and servers already support passive mode and use it by default when transferring files.
Network security teams prefer passive mode because it avoids inbound connections from the Internet back into individual clients. (Almost no corporate security team would permit this.) End users prefer passive mode because it is more reliable than active mode over the Internet. (Active mode doesn't work unless multiple firewalls have been configured to allow it; passive mode generally only requires the server firewall to have been configured.) Passive mode is also preferred when using FTPS (FTP over SSL/TLS) because firewalls that can make active mode adjustments for plain text FTP cannot read FTPS control channels or make active mode FTPS adjustments.
FTP Voyager Active/Passive Support
Our FTP Voyager FTP client tries to use passive mode by default (and falls back to active mode if passive does not work), but this setting can be overridden on a site-by-site basis under the "Advanced | Connection" settings ("Force PASV Mode") for the occasional server that requires active mode.
Serv-U Active/Passive Support
Passive Mode Transfers
When Passive mode is used the Client first connects to the server on port 21. Then the client issues a PASV or EPSV command. The server then replies with an IP address and port number. The client finally uses that IP Address and port number to establish the data connection.
In the illustration below we will see what would happen to establish a data connection. The green text is still part of the command connection. The blue text is the successful result of the data connection being established. Where the server replies to the PASV command the first four numbers are the servers IP Address. The last two define the port that will be used for the data connection. To figure out what port is used multiply the first digit by 256 and add in the second. So in this example (( 55 x 256 ) + 99) = 14179.
Active Mode Transfers
An Active connection is different because the server actually connects back to the FTP Client for the data connection. In the illustration below we see the Port command being sent by the client. This time the client sends the server the IP Address and port number to connect to. Then the FTP Server tries to connect back to the FTP Client using that information. (However, this typically only works if the client can receive inbound connections.)