FTP: Active vs Passive Mode
I know the basics of how FTP works, but only this week I made sure I actually fully understand how the different modes of FTP work. Let’s talk about them briefly.
Control and data connections
You might know that FTP runs on port 21. That is mostly true, but only for one part of the connection: the control port. This is where you issue commands, like
The data generated by these commands, however, is always sent on a separate port, the data port. The original idea behind this was to make sure it is possible to not just send data from a server to a client or vice-versa, but also allow server-to-server data transfer.
Here’s what the spec says:
It should be noted that the data port need not be in the same host that initiates the FTP commands via the control connection, but the user or the user-FTP process must ensure a "listen" on the specified data port. It ought to also be noted that the data connection may be used for simultaneous sending and receiving. In another situation a user might wish to transfer files between two hosts, neither of which is a local host. The user sets up control connections to the two servers and then arranges for a data connection between them. In this manner, control information is passed to the user-PI but data is transferred between the server data transfer processes. Following is a model of this server-server interaction. Control ------------ Control ---------->| User-FTP |<----------- | | User-PI | | | | "C" | | V ------------ V -------------- -------------- | Server-FTP | Data Connection | Server-FTP | | "A" |<---------------------->| "B" | -------------- Port (A) Port (B) -------------- Figure 2
In reality, most FTP servers nowadays will only allow you to open data connections from the same IP address as the control connection, to prevent security issues.
The OG. This was originally the only mode supported by FTP, in the specification written in 1985 (in a way we currently recognise it - the original version of FTP goes back a decade further!).
This mode put the onus for opening the data on the client. A client tells the FTP server, through the
PORT command, what port it should connect to.
The client opens up a random port to listen for or send data. The server usually connects to this port from its own port
20. Once the data transfer is completed, the port is closed.
The fact that the FTP server opens a connection with a client’s port became a problem when firewalls and other network security mechanisms were introduced.
Passive mode was introduced as a way to solve this. Instead of the client opening a port and listening for data, instead the server opens a random port and tells the client about the address to connect to. The client can initiate this by issuing the
PASV command, which the server will respond to with a hostname and IP address.
The client opens a connection with this second server port and carries on with the data transfer as usual.
Some more reading: