FTP active passive modes
The questions how to deal with firewalls and other Internet connectivity issues is mainly based on the difference between active and passive FTP.
FTP is an unusual service, in that it utilizes two ports, a data port and a command port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins when we find that depending on the mode, the data port is not always on port 20.
Active (Non – Passive) Mode
In active mode the client is responsible for opening the listening port and telling the server what IP/port to connect to in order to perform the transfer. To start an active transfer the client sends the PORT command along with arguments telling the server what client-side listening IP/port the server should connect to in order to perform the transfer. Once the transfer is complete the port is closed by the client.
Steps in active FTP mode:
- the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21
- then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server
- the server will then connect back to the client's specified data port from its local data port, which is port 20.
Passive Mode
In passive mode the server is responsible for opening the listening port and telling the client what server-side listening IP/port to connect to in order to perform the transfer. The server then responds with the IP address and port that the client should connect to in order to perform the transfer. Once the transfer is complete the port is closed by the server.
Who initiates connections?
In order to resolve the issue of the server initiating the connection to the client a passive method for FTP connections was developed. PASV command is used by the client to tell the server it is in passive mode.
Client initiates command as well as data connections.
In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server.
Steps in passive FTP mode:
- when opening an FTP connection, the client opens two random unprivileged ports locally N > 1023 and N+1
- the first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command
- the result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client.
- the client then initiates the connection from port N+1 to port P on the server to transfer data.
Some problems with passive mode
While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side.
The biggest issue is the need to allow any remote connection to high numbered ports on the server.
The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.
With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.
