What is the Difference Between Active and Passive FTP?

Categories: SFTP

Active and passive modes can be a difficult idea to understand. In some ways it seems counterintuitive. The simplest explanation is that active and passive are the two modes that FTP can run in.

An FTP server can be placed in two different default modes by an administrator: Active or Passive. Active mode was originally the only method of FTP, and is therefore often the default mode for FTP. When a client and server intend to transfer data, they usually start a Control Connection first in order to negotiate the details of the Data Connection prior to opening it and transferring data. In an active mode connection, when the client makes the initial connection and sends PORT, the server initiates the second connection back.

In a passive connection, the client connects and sends the PASV command, which functions as a request for a port number to connect to. Once the client receives a port, it starts the second connection and sends data. This works in tandem with a firewall configured to employ port forwarding for added security. Data will get forwarded from the firewall’s port to the server’s port to keep outside clients from accessing the server directly.

The IP address used for the original Control Connection must be combined with an unused port—usually a port numbered higher than 1024 and lower than 65535. Ports below 1024, other than port 20, are reserved for other system services.

During the address/port negotiation phase, the client should issue either the PORT command (when initiating Active Mode) or the PASV command (when initiating Passive Mode).

Active Mode—The client issues a PORT command to the server signaling that it will “actively” provide an IP and port number to open the Data Connection back to the client.

Passive Mode—The client issues a PASV command to indicate that it will wait “passively” for the server to supply an IP and port number, after which the client will create a Data Connection to the server.

If the client fails to issue a PASV command, the Data Connection defaults to port 20. However, FTP clients shouldn’t rely on the default values, as this is unsecure. The administrator in charge of the firewall should always require PASV connections.

Once the IP address and port number have been selected, the party that chose the IP address and port will begin to listen on the address/port specified and wait for the other party to connect. When the other party connects to the listening party, the data transfer begins. After the data has been transferred, the party that has sent the data will close the Data Connection, signaling end-of-file (EOF).

Related Blog Posts


No registration required