What is the difference between active and passive FTP

Question

Can someone tell me what is the difference between active and passive FTP  Which one is preferable

User · Accepted Answer

Active and passive are the two modes that FTP can run in.

For background, FTP actually uses two channels between client and server, the command and data channels, which are actually separate TCP connections.

The command channel is for commands and responses while the data channel is for actually transferring files.

This separation of command information and data into separate channels a nifty way of being able to send commands to the server without having to wait for the current data transfer to finish. As per the RFC, this is only mandated for a subset of commands, such as quitting, aborting the current transfer, and getting the status.

In active mode, the client establishes the command channel but the server is responsible for establishing the data channel. This can actually be a problem if, for example, the client machine is protected by firewalls and will not allow unauthorised session requests from external parties.

In passive mode, the client establishes both channels. We already know it establishes the command channel in active mode and it does the same here.

However, it then requests the server (on the command channel) to start listening on a port (at the servers discretion) rather than trying to establish a connection back to the client.

As part of this, the server also returns to the client the port number it has selected to listen on, so that the client knows how to connect to it.

Once the client knows that, it can then successfully create the data channel and continue.

More details are available in the RFC: https://www.ietf.org/rfc/rfc959.txt

User · Answer

Redacted version of my article FTP Connection Modes  Active vs  Passive    FTP connection mode  active or passive   determines how a data connection is established  In both cases  a client creates a TCP control connection to an FTP server command port 21  This is a standard outgoing connection  as with any other file transfer protocol  SFTP  SCP  WebDAV  or any other TCP client application  e g  web browser   So  usually there are no problems when opening the control connection   Where FTP protocol is more complicated comparing to the other file transfer protocols are file transfers  While the other protocols use the same connection for both session control and file  data  transfers  the FTP protocol uses a separate connection for the file transfers and directory listings   In the active mode  the client starts listening on a random port for incoming data connections from the server  the client sends the FTP command PORT to inform the server on which port it is listening   Nowadays  it is typical that the client is behind a firewall  e g  built-in Windows firewall  or NAT router  e g  ADSL modem   unable to accept incoming TCP connections   For this reason the passive mode was introduced and is mostly used nowadays  Using the passive mode is preferable because most of the complex configuration is done only once on the server side  by experienced administrator  rather than individually on a client side  by  possibly  inexperienced users   In the passive mode  the client uses the control connection to send a PASV command to the server and then receives a server IP address and server port number from the server  which the client then uses to open a data connection to the server IP address and server port number received   Network Configuration for Passive Mode  With the passive mode  most of the configuration burden is on the server side  The server administrator should setup the server as described below   The firewall and NAT on the FTP server side have to be configured not only to allow route the incoming connections on FTP port 21 but also a range of ports for the incoming data connections  Typically  the FTP server software has a configuration option to setup a range of the ports  the server will use  And the same range has to be opened routed on the firewall NAT    When the FTP server is behind a NAT  it needs to know it s external IP address  so it can provide it to the client in a response to PASV command   Network Configuration for Active Mode  With the active mode  most of the configuration burden is on the client side   The firewall  e g  Windows firewall  and NAT  e g  ADSL modem routing rules  on the client side have to be configured to allow route a range of ports for the incoming data connections  To open the ports in Windows  go to Control Panel   System and Security   Windows Firewall   Advanced Settings   Inbound Rules   New Rule  For routing the ports on the NAT  if any   refer to its documentation   When there s NAT in your network  the FTP client needs to know its external IP address that the WinSCP needs to provide to the FTP server using PORT command  So that the server can correctly connect back to the client to open the data connection  Some FTP clients are capable of autodetecting the external IP address  some have to be manually configured   Smart Firewalls NATs  Some firewalls NATs try to automatically open close data ports by inspecting FTP control connection and or translate the data connection IP addresses in control connection traffic   With such a firewall NAT  the above configuration is not necessary for a plain unencrypted FTP  But this cannot work with FTPS  as the control connection traffic is encrypted and the firewall NAT cannot inspect nor modify it

User · Answer

I recently run into this question in my work place so I think I should say something more here  I will use image to explain how the FTP works as an additional source for previous answer   Active mode       Passive mode      In an active mode configuration  the server will attempt to connect to a random client-side port  So chances are  that port wouldn t be one of those predefined ports  As a result  an attempt to connect to it will be blocked by the firewall and no connection will be established      A passive configuration will not have this problem since the client will be the one initiating the connection  Of course  it s possible for the server side to have a firewall too  However  since the server is expected to receive a greater number of connection requests compared to a client  then it would be but logical for the server admin to adapt to the situation and open up a selection of ports to satisfy passive mode configurations   So it would be best for you to configure server to support passive mode FTP  However  passive mode would make your system vulnerable to attacks because clients are supposed to connect to random server ports  Thus  to support this mode  not only should your server have to have multiple ports available  your firewall should also allow connections to all those ports to pass through   To mitigate the risks  a good solution would be to specify a range of ports on your server and then to allow only that range of ports on your firewall   For more information  please read the official document

User · Answer

Active mode   -server initiates the connection   Passive mode   -client initiates the connection

User · Answer

Active Mode   The client issues a PORT command to the server signaling that it will    actively    provide an IP and port number to open the Data Connection back to the client   Passive Mode   The client issues a PASV command to indicate that it will wait    passively    for the server to supply an IP and port number  after which the client will create a Data Connection to the server   There are lots of good answers above  but this blog post includes some helpful graphics and gives a pretty solid explanation  https   titanftp com 2018 08 23 what-is-the-difference-between-active-and-passive-ftp

[networking] What is the difference between active and passive FTP?

Examples related to networking

Examples related to ftp