Active and Passive modes in FTP

Posted on 21 October, 2016

Active and passive modes in FTP are the two connection modes it can communicate with. FTP is somewhat unique in that it uses two channels between client and server, the command channel and the data channel, which are usually on separate TCP connections. Typically the command channel is on port 21 and the data on port 20. The command channel handles the delivery of commands and responses typically, the data channel handles the actual transfer of files.

The difference between active and passive FTP connections lies in whether the server or the client initiate the data connection. In active mode, the server initiates the data connection with the client after the client has established a connection on the command channel. In passive mode it is the other way round, the client initiates the data connection with the server.

The sequence of events in Active mode is:

1. Your client (filezilla for example) connects to the FTP server by establishing an FTP control connection to port 21 of the server
2. Whenever the client requests data over the control connection, the server initiate data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port (greater than 1024) on the client.

Active FTP may fail in cases where the client is behind a firewall and protected from many to one NAT(masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.

Active mode is more secure for the server as it does not require unsecured ports to be open at the server end, because it is the server that initiates the data connection to the client.

Please note Active FTP mode is the default for the AUSWEB Windows Hosting Solutions, and as such needs to be enabled in your FTP client.

Passive mode works differently:

1. Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server.
2. Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.

Passive mode should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Because client always initiates the required connections, Passive mode works better for clients protected by a firewall.