3
1
I'm using a client (AnyClient) to connect to a FTP server. There's a checkbox specifying "Passive". I can check this as Yes or No. What does this mean?
contactmatt
Posted 2011-03-08T20:43:36.243
Reputation: 989
What does "Passive" mean, when connecting to a server
Answers
2
Passive FTP is a method that assists you when connecting through firewalls or other security appliances. Since non passive (active) FTP connections require one connection from both ends, there is concerns with allowing connections in and out of the firewall on non-recognizable, higher port numbers that are used by active FTP. The return traffic from the client end will not be recognized upon the second connection, and is usually dropped. With passive FTP, both connections are initiated from the client end.
Most stateful firewalls today will deal with both methods of FTP very well since they are able to detect if packets are related to another connection.
John T
Posted 2011-03-08T20:43:36.243
Reputation: 149 037
2
It's FTP specific.
Active FTP means that the FTP server opens connections to the client for transferring data (downloads). This doesn't usually work too well with firewalls and NAT routers, so you can choose to use passive mode instead, where all connections are initiated by the client.
Daniel Beck
Posted 2011-03-08T20:43:36.243
Reputation: 98 421
2
The FTP protocol has two connections. A command channel, and a data channel. In the original protocol (we'll call this Active FTP), the client will initiate the connection to the server on the command channel, then for any data passed, the server will actively create a connection back to the client. In the beginning, this was fine.
But then we got firewalls, which would block incoming connections. And we also have NAT boxes on pretty much every home connection (and most work ones), which would block any incoming connections (well, unless you set your NAT to route beforehand, which is a pain in the ass). So, they changed the protocol some to allow the client to request passive FTP, which means for the data connection, the server is now passive, and the protocol handshake tells the client how to connect the data channel to the server.
It's a bit more work for the server, which now needs to remember which incoming connection is from which client (and therefore which command to answer to) but the only real way to get over the 'no incoming connections' rule.
TL;DR: Always select passive. Every server supports it, it will always work, and you never need to know why it will. Or just test the 'active' connection, if it works, mitzvah! If not, try passive.
Rich Homolka
Posted 2011-03-08T20:43:36.243
Reputation: 27 121
1
This page claims to be the "Definitive Explanation" of passive vs active ftp.
The key difference between active and passive ftp is summed up at the bottom of the page:
Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.
So with passive ftp you have to do a little more work on the server to allow connections on the high port number, but it should guarantee that any client can connect without problems as it knows which ports it has to open.
So if you have a server that will need to accept connections from a large number of clients passive ftp is the way to go. If you are only accepting connections from a small number of clients then active would be OK.
ChrisF
Posted 2011-03-08T20:43:36.243
Reputation: 39 650