Data Port Modes
Introduction
The FTP protocol is designed such that a client connects to the server with a "control session" that is used for issuing commands and receiving feedback and error codes from the server. However for any sort of data transfer including directory listings and file transfers, a new "data port connection" is opened between the client and server for the duration of each transfer.
The client always initiates the control session by connecting to the FTP server, which is listening on a particular port for new connections.
However the data port connection can be initiated by either the client or the server depending on whether active mode or passive mode transfers are being used. NAT (Network Address Translation) features and firewalls often cause problems with various data port modes.
This page has been created to assist you with learning about the difference between these two modes and how you can configure your FTP server and FTP clients to work around NAT and firewall issues.
Passive Mode (Recommended)
In passive mode data transfers, the client initiates each data port connection with the server. The client asks the server which port it should connect on and the server will listen on an empty port for the client to connect to.
{to be continued...}
Active Mode (Not Recommended)
In active mode data transfers, the server initiates each data port connection with the client. Therefore the client needs to inform the server of the IP address and port for which the server needs to connect back on. Problems arise when the client is behind a NAT router or a firewall which is blocking the incoming data port connection request from the server.
WARNING: The responsibility for configuring firewalls/NAT is assigned to the client, which is something most end users will not understand. You should aim to use passive mode FTP instead which places the technical configuration burden on the server administrator(s). It is easier for everyone involved.
If behind a NAT router, the client will need to configure their FTP client to forcefully use their external IP address (routable on the internet) so that the server is not being told to incorrectly connect to 192.168.0.2 or another LAN (local area network) IP address.
Some routers will inspect FTP traffic and will automatically substitute internal IP addresses such as 192.168.0.2 with the proper external IP address assigned by the ISP (internet service provider). However relying on this system is not recommended as it breaks when TLS is used. If the control session is encrypted, the router can no longer sniff FTP traffic to do the NAT conversion of IP addresses. The server will think it has to connect to 192.168.0.2 (or another internal IP address), which is incorrect. This is the reason you should use an FTP client that allows you to forcefully configure the use of an "external IP address".
Any firewalls on the client side will either need to:
- be configured to place FTP clients within a DMZ (Demilitarized zone)
- forward inbound connection attempts on a range of ports to the FTP client IP address (note that the FTP client would then need to be configured to listen on the same range of ports for incoming data transfers)
Any firewalls on the server side will need to be allowed to allow outbound connections from the server IP address with the source port of 20 (which is the most commonly used port for active mode FTP data transfers).
