Where Websites Come To Life
Active and Passive mode FTP connections
Posted: May 14th, 2018
What is the difference between an active and a passive FTP connection and how they work is one of the most asked questions. It is good to have an FTP host which provides support for both, because there are cases when one works and the other refuses a connection. Such cases happen because of improperly configured firewalls and routers on the client’s side or in the client's ISP network.
So, what is the difference between the active and the passive mode FTP connections? - And the answer is in the FTP port connections. The FTP is a TCP service which uses 2 ports. The first FTP port is the 'command port' which utilizes the communication between the FTP server and the FTP client. The second port is the 'data transfer' port where the real file transfer runs. Typically, the command port is set to port 21 and the data transfer port is port 20, but actually, depending on the connection mode, the data transfer port can be changed.
Difference between Active and Passive FTP
Where FTP protocol is more complicated comparing to the other file transfer protocols are file transfers. While the other protocols use the same connection for both session control and file (data) transfers, the FTP protocol uses a separate connection for the file transfers and directory listings.
In the active mode, the client starts listening on a random port for incoming data connections from the server (the client sends the FTP command PORT to inform the server on which port it is listening). Nowadays, it is typical that the client is behind a firewall (e.g. built-in Windows firewall) or NAT router (e.g. ADSL modem), unable to accept incoming TCP connections.
For this reason the passive mode was introduced and is mostly used nowadays. It is a default for WinSCP too. Using the passive mode is preferable because most of the complex configuration is done only once on the server side, by experienced administrator, rather than individually on a client side, by (possibly) inexperienced users.
In the passive mode, the client uses the control connection to send a PASV command to the server and then receives a server IP address and server port number from the server, which the client then uses to open a data connection to the server IP address and server port number received
The active mode connection
When you try to establish an FTP connection in active mode, first you need to check your FTP software's settings if "Active mode" is enabled. In the most popular free FTP programs the active mode is enabled by default. If disabled, set it on and proceed with filling your FTP account details.
Look at the connection log below to see how the connection proceeds. You will notice that the client sends a PORT command which is containing the dynamic port number on which it is listening over the control stream and waits for a connection from the FTP server. When the FTP server initiates the data connection to the FTP client it binds the source port to port 20 on the FTP server.
Active FTP Sample
ourworldB: {/home/p-t/kekhost/public_html} % ftp -d ourworld
Connected to ourworld.kekhost.com.
220 ourworld.kekhost.com FTP server ready.
Name (ourworld:kekhost): kekhost
---> USER kekhost
331 Password required for kekhost.
Password: TmpPass
---> PASS XXXX
230 User kekhost logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PORT 68,205,87,182,12,195
200 PORT command successful.
---> LIST
150 Opening ASCII mode data connection for file list.
drwx------ 3 kekhost users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.
The passive mode connection
Passive mode FTP connections are designed to resolve problems with firewalls and routers that didn't allow an active connection to be established.
If you can't connect to the server in active mode, you need to enable the "Force Passive mode" option of your FTP Client. Then the client will initiate both connections to the server, which may resolve the problem even if there are some limitations imposed by your ISP's network or your personal firewall.
Let's see how the passive mode works. First, the FTP Client opens two dynamic ports - a command port (for example port 1025) and a data transfer port (the command port +1 = port 1026). Then the client connects its command port to port 21 on the server, but instead of using a PORT command, it sends a PASV command which tells the server that the connection is set in passive mode. When it reads the PASV command, the server opens a random dynamic port (for example 1027), which is forwarded to port 20 (the server's default data transfer port), and sends it back to the client. Then the FTP client initiates the connection from its data port (port 1026) to the server's data port (port 1027) and starts the data transfer.
This mode is a great method of resolving problems with firewalls filtering the incoming data port connection to the client from the server.
Passive FTP Sample
OurworldB: {/home/p-t/kekhost/public_html} % ftp -d ourworld
Connected to ourworld.kekhost.com.
220 ourworld.kekhost.com FTP server ready.
Name (ourworld:kekhost): kekhost
---> USER kekhost
331 Password required for kekhost.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (68,205,87,183,13,191).
---> LIST
150 Opening ASCII mode data connection for file list
drwx------ 3 kekhost users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.