Active Versus Passive Ftp

Sometimes when you try to connect to an FTP server using various types of FTP clients, some of these clients will work, while others won't.
In order to understand why, you need to know a little bit more about the internal workings of the FTP protocol.

The FTP handshake can work in two very different manners:
1. active mode
2. passive mode

A fairly technical explanation can be found here:
http://slacksite.com/other/ftp.html

Basically, the difference is that in active mode, both the server as well as the client will be required to open up ports to listen for incoming traffic.
This will cause problems if you are behind a firewall / NAT router. The most visible symptom is that your FTP client will cause the bult-in Windows XP SP2 firewall to pop up a dilog box informing you that the client is trying to open an inbound connection and asking you whether you want to unblock or keep blocking.

Some of the smarter FTP clients have a checkmark option or command line switch to enable passive mode for all FTP transfers.
In passive mode, only the server is required to open up ports for incoming traffic.
All browsers are by default configured to work in passive mode when used as FTP clients.
If you are behind a firewall / NAT router, passive mode gives you a better chance of connecting to an external FTP server.

 

 

 

Comment/Reply (w/o sign-up)

I always use passive mode with any FTP settings that I configure. Active mode is slower (if it actually works).
Could you explain some advantages of using active mode with FTP? Seems unnecessary to do so, but I may be wrong.

Comment/Reply (w/o sign-up)

Given that most of your users are behind firewalls, and the major platform vendors are switching to a more secure default setup with a hardened firewall, I would always configure an FTPd to support passive mode.

Comment/Reply (w/o sign-up)

As I understand it, some servers require the client to be in active mode - rendering it not entirely a client side choice.
Never bothered to understand the difference, just switched to active when this was necessary. Thanks for clearing that up.

People who have troubles with ports on their NAT/router should visit http://www.portforward.com for an easy introduction on port forwarding and a guide for almost each router model.

Comment/Reply (w/o sign-up)

Active mode is the legacy way of doing things. It is the way the FTP protocol was designed to work way back when the Internet was a small, friendly community of scientists, students, etc. Nobody called it active mode in those days because there was nothing to compare and contrast it with.
Passive mode was designed later as an alternative, when hackers became a real and constant threat.

The only advantage of active mode that I can think of is backwards compatibility.
For example, if a large corporation runs a big old mainframe with an FTP server that doesn't do passive mode and only needs to be available to FTP clients on the intranet.

I recently installed the FileZilla FTP server on my PC and, in order to get it to work, I not only had to forward the ports / port ranges for the control and data connections in order to get it to work in passive mode, but I also had to make my PC the default DMZ server in the router configuration, which now could make my PC somewhat more vulnerable, if I'm not careful.

So that would be another advantage of active mode - less vulnerability on the server side.

 

 

 

Comment/Reply (w/o sign-up)

I need a script to set the "enable passive ftp" setting in internet explorer to enable. I am NOT a software person so while it might be easy to layout , to me it is GREEK :)

The default in IE7 is to NOT enable it and this is creating a problem for me to "explain" to people who are even worse off than I on how to simply go in and put a "check" in that box.

Thanks

Comment/Reply (w/o sign-up)

Active vs. Passive
Active Versus Passive Ftp

Active - your client connects to FTP server on port 21. When you request data, it responds by it (FTP Server)connecting TO YOUR CLIENT on port 20.



Passive - your client connects on port 21. It issues the PASV command and the FTP server says "for data, connect to this IP Address on this port". Your client connects on the indicated IP/port. (that data port >1023)



So, if you are behind a not-too-bright firewall/router or a very secure one, active will not work. The FTP server tries to connect back to you; the firewall sees a random request to connect on port 20 and either has no idea what to do with it, or deliberately blocks it.



In Passive mode, you connect for the control (port21) and then you are told which port for the data (let's say, port 5000). You connect (I.E. Port 5000) and the FTP server's firewall knows to forward new connections on the passive FTP ports (let's say, 5000 - 5100) to the FTP Server. All the connections come from you TO the server. The only possible problem - your own ultra-secure firewall may not allow outgoing connections on port 5000-5100(or whatever). Then, you're toast. Against stupidity and paranoia the gods themselves labour in vain.



Because of the predominance of firewalls today, IE7 defaults to "use passive FTP" ("Tools - Internet Options - Advanced"). I think Firefox only allows Passive now? Does anyone know? Some FTP clients allow "if one fails, try the other". The DOS box FTP in Windows does NOT do passive.



One more gotcha - in IIS7, you can program the FTP site's IP address and port range for passive FTP - the address returned in response to the client's PASV command. Obviously, you would program the firewall IP (external address) of your network, so outside clients can ftp to your server. Therefore, passive ftp will not work from inside your network, because your FTP server will respond with the firewall IP instead of its internal IP (odds are your firewall won't allow internal-to-internal bounce).



And a last gotcha - on an older Sonicwall firewall, I found the response to the PASV command was being blocked as an FTP bounce attack, since the response contained the firewall's external address, not the FTP's internal address. The firewall automatically blocked a response that contained an IP address that did not match the source address (the FTP server's internal address). I had to go into the Sonicwall hidden advanced menu (diag.Html) and uncheck the option to protect against ftp bounce attacks.

Comment/Reply (w/o sign-up)

security confliction between active and passsive FTP
Active Versus Passive Ftp

As in active 20 and 21 port of server get use, which are default so everyone knows it .So hackers can hit over these ports---------this is drawback inactive mode

Now in passive port 20 and a big range of ports ( for data connectiopn) use to get open. So more than 2 ports here. This may increase the hacking hits as we are opening more doors over the server-- this is drawback in passive mode...? So how we can conclude which one is providing better security..?

-reply by ashish

 

Comment/Reply (w/o sign-up)