What is the difference between passive and active transfers?
Posted by Van Glass on 27 May 2007 04:03 PM
To explain the difference between passive and active transfers it is necessary to cover some of the details of how the FTP protocol works. The FTP protocol uses multiple channels for communication. These channels are known as the command channel and the data channel. |
The command channel is responsible for accepting commands from an FTP client and typically runs on port 21 for standard FTP and encrypted FTP using explicit SSL, or port 990 for encrypted implicit SSL connections. The command channel is also responsible for sending replies back to the FTP client in response to client commands. An example of a command sent by an FTP client might be "PWD" asking the server for the current remote directory. The server will respond with a response code followed by the current remote directory such as "257 /home/users/jsmith"
The data channel is used for transferring files and for performing directory listings. Unlike the command channel, the data channel does not run on a single persistent port. Instead whenever a file transfer or directory listing is performed a new (typically random) port is is opened for sending the data (either by the client or server) and the data transfer is performed. Once the data transfer is complete the port is closed. The port on which the data channel is performed and additionally whether the client or server is responsible for opening this port depends on the data transfer mode used. There are two data transfer modes available in FTP. These data transfer modes are known as passive and active a.k.a non-passive. These data transfer modes should not be confused with "binary" and "ASCII" which relates to the format in which data is transferred and not the method in which data is transferred.
In passive mode the server is responsible for opening the listening port and telling the client what server-side listening IP/port to connect to in order to perform the transfer. To start a passive transfer the client sends the "PASV" command. The server then responds with the IP address and port that the client should connect to in order to perform the transfer. Once the transfer is complete the port is closed by the server.
Active (Non-Passive) Mode
In active mode the client is responsible for opening the listening port and telling the server what IP/port to connect to in order to perform the transfer. To start an active transfer the client sends the "PORT" command along with arguments telling the server what client-side listening IP/port the server should connect to in order to perform the transfer. Once the transfer is complete the port is closed by the client.
Which one should I use?
This depends largely on the FTP server capabilities and configuration. From the client perspective the first question you need to ask yourself is "Does the server support passive connections?". There are some FTP servers, especially those running on older mainframe systems that do not support passive connections. It's also possible that while the server supports passive connections the server may have this feature disabled. This is usually due to an aggressive firewall policy on the server side that disallows passive connections. Naturally, if the server doesn't support/allow passive connections then you will be forced to use active mode. The easiest way to test whether a server supports passive mode is to simply connect using passive mode and perform a directory listing to see what happens. If you get back a directory listing without error then the server supports passive mode. If however you get an error like "500 PASV command not supported" or "500 PASV command disabled" then you will need to use an active connection. In general you should always default to using a passive connection when possible. It is much more firewall-friendly to clients than active mode given that most Internet users today are behind firewalls using NAT software.
From the perspective of an FTP server administrator you should make it as easy as possible for your clients to connect. This means enabling passive mode on your server so that clients who are behind a firewall or router that uses NAT software, can connect easily.