WinBatch Tech Support Home

Database Search

If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.



Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

Active vs Passive FTP Connections

Active Vs. Passive FTP Connections
There are two common modes for FTP connections: Active and Passive.

Active-mode FTP Connections
Referred to as "client-managed" because the client sends a PORT command to the server (over the control connection) that requests the server to establish a data connection from TCP Port 20 on the server, to the client, using the TCP port that is specified by the PORT command.

Passive-mode FTP Connections
Referred to as "server-managed", because after the client issues a PASV command, the server responds to that PASV instruction with one of its ephemeral ports that will be used as the server-side port of the data connection. After a data connection command is issued by the client, the server connects to the client using the port immediately above the client-side port of the control connection.

NOTE: The most common problem encountered when you use FTP over the Internet results when you attempt transfers through a Network Boundary Securing Device (NBSD) such as a proxy, firewall, or Network Address Translation (NAT) device. In most cases the NBSD allows the control connection to be established over TCP 21 (that is, the user can successfully log on to the FTP server), but when the user attempts a data transfer such as DIR, LS, GET, or PUT, the FTP client appears to stop responding because the NBSD is blocking the data connection port that is specified by the client. If the NBSD supports logging, you can verify port blocking by reviewing the deny/reject logs on the NBSD.

A quick summary of the pros and cons of active vs. passive FTP is also in order:
Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously.

Article ID:   W17375
File Created: 2017:07:28:12:58:44
Last Updated: 2012:09:13:08:19:10