FTP: Understanding Active vs. Passive

Please note: This post originally appeared on Extol.com (EXTOL has been acquired by Cleo).

The File Transfer Protocol (FTP), although an older technology, is still very popular and is used routinely by IT departments and businesses worldwide.  Even so, many users of FTP do not fully understand the difference between two of its basic configuration options: Active mode and Passive mode.

FTP uses two communication paths (also know as “channels”) in order to accomplish its goal of transferring files from one location to another. The first is the control channel which is used to send FTP commands back and forth from the client and server. This connection is commonly made to port 21 of the server.  The other channel, known as the data channel, is used to transmit the raw data of the files being sent. The server port used for this channel depends largely on what communication mode is being used, Active or Passive. The default mode in FTP is Active mode, however, when configuring a connection most clients will ask you if you want to use Active or Passive. When you select Active or Passive mode you are specifying how you want the client and server to negotiate what ports to use when establishing the data channel.

In Active mode, the client sends the server a message on the control channel that contains what port (on the client) the server should connect to.  The server then responds by connecting to that port to establish the data channel.  In contrast, Passive mode requires the server to send a message referencing a port number (on the server) that the client should connect to.  The client then responds by connecting to that port on the server. An easy way to remember which mode is which is to associate the mode with how the server behaves. When in Active mode, the server actively makes the data channel connection to the client.  When in Passive mode the server behaves passively and waits for the client to connect to it.

Now that you know the difference between them you might be wondering, why the need for two modes?  The problem arises when you throw firewalls into the mix.  In Active mode, the server makes the connection to the client and even though the client ftp program knows what port the server is going to attempt to connect to (because the client chose it and told the server which one) the clients firewall knows nothing about it.  All it sees is a new connection trying to be made to a machine it’s protecting. Passive mode remedies this (as far as the client is concerned) by having the client being the one that connects to the server on a port the server specifies. However, in this case, the server’s firewall may now block the connection due to the same reasoning.

In either case, one of the firewalls would need to allow connections on a wide range of ports to pass through, which, as you can imagine is not a popular idea with a lot of security admins.  Fortunately, there are ways around this by means such as ftp proxies or smart firewalls that analyze ftp command packets to sniff out expected incoming connections and then dynamically opening the specified port.  This, however, becomes complicated when using a secured version of FTP where the packets are now encrypted and unable to be sniffed by the firewall. That is a discussion for another day.