FTP: Active vs Passive Mode

I know the basics of how FTP works, but only this week I made sure I actually fully understand how the different modes of FTP work. Let's talk about them briefly.

Control and data connections

You might know that FTP runs on port 21. That is mostly true, but only for one part of the connection: the control port. This is where you issue commands, like LIST.

The data generated by these commands, however, is always sent on a separate port, the data port. The original idea behind this was to make sure it is possible to not just send data from a server to a client or vice-versa, but also allow server-to-server data transfer.

Here's what the spec says:

It should be noted that the data port need not be in the same host
that initiates the FTP commands via the control connection, but the
user or the user-FTP process must ensure a "listen" on the specified
data port. It ought to also be noted that the data connection may be
used for simultaneous sending and receiving.

In another situation a user might wish to transfer files between
two hosts, neither of which is a local host. The user sets up
control connections to the two servers and then arranges for a
data connection between them. In this manner, control information
is passed to the user-PI but data is transferred between the
server data transfer processes. Following is a model of this
server-server interaction.

            Control     ------------   Control
            ---------->| User-FTP |<-----------
            |          | User-PI  |           |
            |          |   "C"    |           |
            V          ------------           V
    --------------                        --------------
    | Server-FTP |   Data Connection      | Server-FTP |
    |    "A"     |<---------------------->|    "B"     |
    -------------- Port (A)      Port (B) --------------

                         Figure 2

In reality, most FTP servers nowadays will only allow you to open data connections from the same IP address as the control connection, to prevent security issues.

Active mode

The OG. This was originally the only mode supported by FTP, in the specification written in 1985 (in a way we currently recognise it - the original version of FTP goes back a decade further!).

This mode put the onus for opening the data on the client. A client tells the FTP server, through the PORT command, what port it should connect to.

The client opens up a random port to listen for or send data. The server usually connects to this port from its own port 20. Once the data transfer is completed, the port is closed.

Active mode

Passive mode

The fact that the FTP server opens a connection with a client's port became a problem when firewalls and other network security mechanisms were introduced.

Passive mode was introduced as a way to solve this. Instead of the client opening a port and listening for data, instead the server opens a random port and tells the client about the address to connect to. The client can initiate this by issuing the PASV command, which the server will respond to with a hostname and IP address.

The client opens a connection with this second server port and carries on with the data transfer as usual.

Passive mode


Some more reading: