A lot of our customers are confused by PASV FTP. Our system supports both Passive and Active transfers, but what is the difference?
First let’s review how the FTP protocol functions. When you first connect to an FTP server, you are creating a COMMAND channel. This channel is used to send commands and responses between your FTP client and the server. Whenever you initiate a file transfer, that transfer is done using another DATA channel. This data channel is dedicated to the transfer of a specific file, and will close when that transfer completes.
Passive and Active are two methods of opening this second DATA channel. The default (Active) method means that the FTP client will listen for the server to connect to it. This is backwards from the majority of Internet protocols, where the client connects to the server.
Passive mode on the other hand means that the client will connect to the server in order to open the DATA channel. This is frequently how Internet protocols work, where the server accepts a connection from the client, not vice-versa.
Both modes are useful, however, in a lot of circumstances, PASV is the only option that will work. The reason is that many clients are behind a firewall that is not configured to allow the server to connect to the client. On the other hand, 99% of the time a client is able to open a connection to a server, thus passive will work while active will not.
Another situation where PASV mode is required is when SSL is being used on the COMMAND channel. Even a properly configured firewall at the client side will be confused when SSL is in use. This is because the firewall works by inspecting the FTP COMMAND channel and noticing when an active connection is being requested. It then allows this connection when it is attempted. When SSL is being used, the COMMAND channel is not readable by the firewall, and thus it cannot inspect the traffic. It has no way of knowing when an active connection will be attempted, and thus it denies it. In this case, PASV will still work, as the client is making an outbound connection to the server, which the firewall will allow.
So what does this mean to you? It means that you should generally use the PASV mode to connect to an FTP server, this method will almost always work, while active mode will often fail.