Active vs. Passive FTP

When connecting to an FTP server through a firewall or NAT device you will often need to use Passive Mode FTP. This is because stateful firewalls will only allow a packet through on a port to an IP address if it has recorded that the IP address in question sent out a corresponding request. This is fine with most connections since each incoming connection has a corresponding respective outgoing connection on the same port.

But, FTP runs on two ports on the server, 20 & 21. Port 21 is the Control connection. It is the port that the FTP commands are sent to and remains opens throughout the FTP session. Port 20 is the Data transfer connection. Remember; these are server side port numbers only! The port numbers on the client are dynamically assigned throughout the FTP session.

Active mode (PORT)

In Active mode, the FTP client chooses the port number that it will use to transfer data on and tells the server which client-side port to send the data to. It issues the PORT command to let the server know what IP address and Port number it will be listening on to receive the data from the server.

PORT 192,168,1,254,4,15

The server then initiates the data transfer to the client, sending the data to the port number that it was told to by the client.

Since the Server has initiated the connection, a stateful firewall will not allow the data to be sent back though. (No client has created the connection and so no respective connection exists...)

Passive mode (PASV)

If you switch to passive mode (and you still have debug switched on) you will see:

        227 Entering Passive Mode (192,168,1,254,32,170). 

This time, the FTP server chooses the client-side port number that will be used to transfer the data and sends it to the FTP client to use. The client then initiates the data transfer from the server on the port that the server has instructed.

Since the Client has initiated the connection on port 20, the stateful firewall will allow the data to be sent back though

This can be confusing as it sounds backwards. The server chooses the port so why does the firewall let the data through? Remember; the server chooses the port but then tells the client to use that port. The client then initiates the connection on that port which is why the firewall lets the reply back through.

Explaining the six octets of PASV and PORT.

The first 4 octets are the IP address, the last two are the port number. To find out what the port number is, you have to translate each number into HEX, combine the results, and convert back to decimal.

        Example 1:

        4 = 4
        14 = E
        040E = 1038

        192,168,1,254,4,15 is
        Example 2:

        32 = 20
        170 = AA
        20AA = 8632

        192,168,1,254,4,15 is

Find me on...

Support Wikipedia.
Support Wikipedia