WS_FTP Server - An explanation of PORT and PASV connections

Product: Version: Platform:
WS_FTP Server 5.0x All

Question/Problem: What are the differences between 'port', 'active', and 'passive' modes?  How exactly do they work?  Do I need to open any ports on my firewall or router to make them work?

Answer/Solution: The FTP protocol defines a dual-channel communications system.  That is, one channel (or port) is used for sending command information such as usernames (the USER command), passwords (the PASS command), or 'move to this directory' (the CWD command) instructions, among many other available FTP commands.  This is commonly referred to as the 'command channel'.  Another separate channel is used for sending data between the server and client.  This data is usually a file being transferred or what is known as a 'directory listing'.  The directory listing contains information such as size and last modified dates about the files and folders in the current working directory.

The command channel for most FTP servers is TCP port 21.  This connection is always established inbound to the server, which is outbound from the client's point of view.  That is, the TCP packet originates from an available (but not necessarily always the same) port on the client's computer and is sent to port 21 on the server.  Until the connection between the server and client is broken (because the client sends a QUIT command or the connection times out), all future 'command' information is sent over this connection.

The second channel, known as the 'data channel', can be established outbound from the server or inbound to the server.  These two different directions are referred to as PORT mode (sometimes called 'active' mode) and 'passive' (AKA PASV) mode, respectively.  Whenever data needs to be sent between the server and the client (such as a directory listing or a file to be transferred), the client and the server dynamically negotiate a network connection to send this data.  Once the data is sent, this second network connection is closed.  It is very common for multiple data channel connections to be established within a single FTP session.  Depending on client configuration, the client will either ask the server for a port to connect to by sending the PASV command; or will tell the server to connect to it, by sending the PORT command.  WS_FTP Server supports opening a data channel in either mode, but requires that the ports be properly forwarded to the client (if operating in PORT mode) or properly forwarded to it (if operating in PASV mode).   It is important to note that the FTP client, not WS_FTP Server, determines whether the data channel will attempt to be established in PORT or PASV mode.




PORT - In PORT mode, the FTP client gives WS_FTP Server an IP address and a TCP port to which WS_FTP Server should connect.  In most cases, this address is the IP address of the computer on which the FTP client is installed.  In some cases, the IP address may be the IP of another network appliance that forwards traffic to the client computer, such as a NAT router.   This connection is outbound from the FTP server and inbound to the client computer.  Like the command channel connection, the port opened on the client machine is dynamic (although some FTP client applications allow the user to specify a specific range of ports), however the source port for the outbound connection is always TCP port 20 on the WS_FTP server.  There is no standards requirement which dictates the source port must be 20, but WS_FTP Server is designed to operate this way.  If the FTP client is behind a firewall or router, the TCP port specified in the PORT command must be open and forwarded inbound to the client computer, or the server will not be able to successfully connect.

A PORT command from an FTP client looks similar to the following:

C: PORT 192,168,6,100,60,245

In this example, the client (C:) sends its IP address and port to the server.   192,168,6,100 is a representation of the FTP client's IP address (in this case 192.168.6.100).  60,245 is a mathematical representation of the TCP port to which the client is telling WS_FTP Server to connect (in this case, port 15605).  WS_FTP Server should then attempt to establish an outbound TCP connection from port 20 (a local port on the WS_FTP Server computer) to port 15605 on the client's computer (192.168.6.100).  Once this network connection is established, the requested data will be transferred and then this data channel will be closed.

PASV - In PASV mode, the FTP client requests the server to open a port for it to connect to by sending the PASV command.  WS_FTP Server (by default) will open the first available TCP port between 1024 and 5000.  First available is defined as:  check to see if 1024 is available, if not, then check port 1025.  If 1025 is not available, check 1026.  This process repeats until an available port is located or port 5000 is reached without locating an available port.  If none are available, WS_FTP Server will not be able to open a port to which the client can connect and the attempt to establish a data channel will fail.  Once WS_FTP Server has found an available port to use, it will send its IP address and the available port back to the client.  This return of information is known as the 'passive response'.  If WS_FTP Server is behind a firewall or router, the TCP port specified in the passive response must be open inbound to the computer on which WS_FTP Server is installed, or the client will not be able to successfully connect.  Also, in its default configuration, the IP address WS_FTP Server will return will be the actual IP address of the machine on which WS_FTP Server is installed.  If WS_FTP Server is installed on a machine that is behind a NAT router, the IP address the remote client uses to connect may not be the same as the server's actual IP address.  The IP address and port returned in the passive response must (from the client's point of view) be reachable.  The IP address sent in the passive response as well as the port range WS_FTP Server will attempt to use can be configured.

A passive command and WS_FTP Server's response look similar to the following:

C: PASV
S: 227 Entering Passive Mode (192,168,8,36,8,75).

First, the client (C:) requests a port on the server to connect to by sending the PASV command.  WS_FTP Server (S:) then responds with the IP and port to which the client should connect.  192,168,8,36 is a representation of the WS_FTP Server's IP address (in this case 192.168.8.36).  8,75 is a mathematical representation of the TCP port to which WS_FTP Server is telling the client to connect (in this case, port 2123).  The FTP client should now attempt to establish an outbound TCP connection from an available port (again, no standard exists that requires a specific source port be used for the connection) to port 2123 to the computer on which WS_FTP Server is installed (192.168.8.36).  This outbound connection from the client is seen as an inbound connection from WS_FTP Server's point of view.

In conclusion, if the client is operating in PORT mode, the traffic is outbound from WS_FTP Server and typically, only the inbound ports used by the data channel need to be opened on the client's network.  If the client is operating in PASV mode, inbound ports need to be opened on the server's network.  Again, the client controls which mode will be used, not the server.  An inbound port to the server's command channel (default, port 21) will always need to be open.

See also:
WS_FTP Server 5.0 User's Guide - Using Firewalls with SSL

Document #:   Revision Date:
FS-20051115-DM01   05/16/06

Return To KnowledgeBase Search Page