Active vs. Passive FTP Simplified

The difference between active FTP and passive FTP modes lies in how connections are made. In active mode, the client initiates the connection with a PORT command, making the server connect back for data. In passive mode, the client uses a PASV command, gets a server port, and starts the data transfer connection.

  1. Blog

If a client encounters problems when connecting to your FTP server, one of the first things you might want to check is your FTP data transfer mode. Depending on specific network configurations, this mode should be active or passive. In this post, you’ll understand the salient points of active and passive FTP and learn how to avoid associated connectivity issues.

Before discussing which mode is best for what scenario, let’s first cover one crucial topic: the two channels of an FTP session.

FTP Command Channel And Data Channel

A typical FTP session operates using two channels between the FTP client and server: a command channel and a data channel. As their names imply, the command channel is used for transmitting commands and replies to those commands, while the data channel is used for transferring data.

Click play to watch a video version of this blog post instead.

Unless you configure your FTP server differently, you typically set your command channel to use FTP port 21. However, the FTP port you'll use for the data channel can differ depending on which data transfer mode you choose. If you choose active mode, the data channel will typically be FTP port 20. But if you choose passive mode, then the port that will be used will be random.

ftp command and data channels

Note that the FTP ports we are referring to up to this point are only those on the server side. We'll include client-side FTP ports later in this article.

Active Mode FTP

Among the two connection modes, active mode is the older one. Active FTP was introduced in the early days of computing when mainframes were more common and attacks on information security were not as prevalent.

Here's a simplified explanation of how an active mode connection is carried out, summarized in two steps and if you have questions about securing your FTP server, schedule a demo with one of our experts, and they'll be happy to support you.

Some relevant steps (e.g., ACK replies) have been omitted to simplify things.

  1. A user connects from a random port on a file transfer client to FTP port 21 on the server. It sends the PORT command, specifying what client-side port the server should connect to. This port will be used later on for the data channel and differs from the port used in this step for the command channel.
  2. The server connects from port 20 to the client port designated for the data channel. Once the data connection is established, file transfers are made through these client and server ports.

ftp active mode explanation

Passive Mode FTP

In passive mode, the client initiates a command channel (control connection) to the server. However, instead of sending the PORT command, it sends the PASV command, which requests a server port to connect to for data transmission. When the FTP server replies, it indicates what data port number it has opened for the ensuing data transfer.

Here's how passive mode works in a nutshell:

  1. The client connects from a random port to port 21 on the server and issues the PASV command. The server replies, indicating which (random) port it has opened for data transfer.
  2. The client connects from another random port to the random port specified in the server's response. Once the connection is established, data transfers are made through these client and server ports.

    ftp passive mode explanation

Active Mode vs Passive Mode FTP: Which Is More Suitable For You?

There's a reason why I opted to simplify those two diagrams above. I wanted to focus on the main difference between active mode and passive mode FTP data transfers. If you compare those two diagrams, one of the things that should stand out is the opposing direction in which the second arrows (which also represent the data channels) are pointing.

In this section, we'll focus on those second arrows and their associated ports.

In the active mode, the second arrow is pointing to the client. This means the client initially specifies which client-side port it has opened up for the data channel, and the server initiates the connection.

By contrast, the second arrow points to the server in the passive mode. Here, the server specifies which server-side port the client should connect to, and the client initiates the connection.

There shouldn't have been any problem had there not been any firewalls in existence. But threats to information security are on the rise; hence, firewalls are almost always a given. In most cases, clients are located behind a firewall or a NAT (which functions like a firewall). In such cases, only a select number of predefined ports will be accessible outside.

Remember that the server will attempt to connect to a random client-side port in an active mode configuration. So, chances are, that port wouldn't be one of those predefined ports. As a result, the firewall will block an attempt to connect to it, and no connection will be established.

Active mode FTP

In this particular scenario, a passive configuration will not pose a problem. That's because the client will initiate the connection, something that a client-side firewall won't have any problem with.

Passive mode FTP

The server side can have a firewall, too. However, since the server is expected to receive a greater number of connection requests compared to a client, then it would be logical for the server admin to adapt to the situation and open up a selection of ports to satisfy passive mode configurations.

Security Considerations When Setting Up Passive FTP

As explained earlier, if you're administering an FTP server, it would be best to configure your server to support passive mode FTP. However, you should remember that doing so would make your system more vulnerable to attacks. Remember that, in passive mode, clients are supposed to connect to random server ports.

Thus, to support this mode, your server should have multiple ports available, and your firewall should allow connections to all those ports to pass through!

But the more open ports you have, the more there will be to exploit. To mitigate the risks, a good solution would be to specify a range of ports on your server and then allow only that range of ports on your firewall.

How Wide Should The Passive Port Range Be?

The number of specific ports you need for passive FTP largely depends on the expected number of concurrent connections/file transfers. However, it's essential also to consider that although 100 concurrent file transfers would require 100 open ports on the server, what most people consider a "single file transfer" may actually consist of more than one. Let me explain.

For a typical end user, everything he downloads or uploads between when he logs in to the FTP server and when he logs out is just part of a single FTP file transfer. That's not true. Each file transmitted during that entire login session will actually require at least one port. So if 10 files are downloaded, then 10 ports are used. That's not all.

Some clients now use multiple connections when uploading files. For example, if a client has 100 files to upload, it might spawn 5 separate sessions to make the upload go faster. The result is that a single client may have 5 open passive connections at a time.

So, when deciding how many passive ports you want to open, you need to consider that a single client may actually open multiple concurrent passive connections. While no hard and fast rules dictate the number of ports that should comprise a port range, you will want to project your maximum number of concurrent users and allocate a sizable allowance based on that.

Where To Set Up Passive Port Range In JSCAPE MFT Server

For those already using JSCAPE MFT Server, you can specify a range of ports for your passive mode FTP connections by going to Services > FTP/S > Passive port range in your JSCAPE MFT Server Manager. Because low ports (particularly those < 1024) are reserved, choose a high port range (i.e., large numbers). For example, from 5000 to 6000. For better security, don't just copy the example. Use your own!

ftp passive port range mft server

If the IP address your server uses in responding to requests for passive connections is not routable via the Internet, you'll need to enter your public IP address in the Passive IP field.

We hope we can explain the difference between active and passive FTP in a manner you can easily understand.

Get Your Free Trial

Would you like to try this yourself?

Download your free JSCAPE MFT Server Trial now.

JSCAPE MFT Server and MFT SaaS are platform-agnostic and can be installed on Microsoft Windows, Linux, Mac OS X, and Solaris. They can handle any file transfer protocol and multiple protocols from a single server. Additionally, JSCAPE enables you to handle any file type, including batch files and XML.