FTP active passive - which one to use?

Mirjana's picture
This depends largely on the FTP server capabilities and configuration.
Does the server support passive connection?
From the client perspective the first question you need to ask yourself is if the server support passive connections. There are some FTP servers, especially those running on older mainframe systems that do not support passive connections.
Is passive mode enabled in the server side?
It's also possible that while the server supports passive connections the server may have this feature disabled. This is usually due to an aggressive firewall policy on the server side that disallows passive connections. Naturally, if the server doesn't support/allow passive connections then you will be forced to use active mode.
How to check if the server allows passive connection?
The easiest way to test whether a server supports passive mode is to simply connect using passive mode and perform a directory listing to see what happens. If you get back a directory listing without error then the server supports passive mode. If however you get an error like "500 PASV command not supported" or "500 PASV command disabled" then you will need to use an active connection.
What should be a default mode?
In general you should always default to using a passive connection when possible. It is much more firewall-friendly to clients than active mode given that most Internet users today are behind firewalls using NAT software.
From the perspective of an FTP server administrator you should make it as easy as possible for your clients to connect. This means enabling passive mode on your server so that clients who are behind a firewall or router that uses NAT software, can connect easily.
Which one is beneficial to the FTP server admin?
Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side.
Which one is beneficial to the FTP client admin?
Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.