<< Back to tutorials

FTP 101 - part 1: Active vs passive connections

Published {$created} by Carsten Blum


In this first blog post in our tutorial series about the FTP protocol and using FTP client software we'll look at a core concept for regular old school FTP - active vs passive connections. This is not a topic when using SFTP or SCP, because the protocols are completely different. Actually, except for the FTP abbreviation, FTP and SFTP has absolutely nothing in common.

With that exciting FTP intro out of the way, let's dive into the concepts of active and passive connections when using FTP.

Understanding FTP port usage.

When talking active and passive FTP connections, we first need to understand how a FTP client uses ports when connecting to a FTP server.

In a typical FTP session, two separate connections are established between the client and the server:

Control connection (command channel)

This is the first connection, and it’s always initiated by the client. It uses TCP port 21 on the server side, and an ephemeral (temporary) port on the client side. This control connection stays open throughout the session and is used for sending commands like USER, PASS, LIST, and RETR.

This is always port 21 on the server side, and ephemeral port on the client side. Initiator, or you could say the flow direction is from client -> server. No problem.

Data connection (transfer channel)

This is the second connection, used for transferring files or directory listings. How this connection is established – and who opens it – depends on whether the client is using active or passive mode.

When using active connections the server connects back to the client from its TCP port 20 to an ephemeral port on the client. This means the server initiates the data connection, which can be problematic, as in down right impossible, if the client’s firewall blocks incoming connections. In 2025, as of writing this article, an active FTP connection is nearly always impossible.

This is always port 20 on the server side, and ephemeral port on the client side. The problem is the server is the initiator, or the flow direction, is from server -> client.


In the above scenario the server initiates the data connection from server to client, expecting the client to just have open or no firewall. In passive mode on the other hand, the server opens a random high-numbered port (ephemeral port) and tells the client which one to connect to. The client then initiates the data connection from its own ephemeral port to this specific server port. This is why passive mode is often preferred behind NAT or firewalls—it avoids incoming connections from the server side.

active-passive-diagram

Because of this difference, the choice between active and passive FTP has big implications when firewalls and NAT (Network Address Translation) are involved. Firewalls often block incoming connections unless explicitly allowed, which makes passive mode more firewall-friendly in most modern setups.


At ftpGrid we obviously support passive mode for client server connections, otherwise hosting a modern FTP service would be nearly impossible. On each edge service we usually operate with 100 open passive FTP data connection ports in the range 21000-21100. And now you might think that we don't have many available ports, but we have many many edge services, so no worries. :-)

Signup now
© 2025 ftpGrid

ftpGrid ApS
Branebjerg 24
DK-5471
Gamby
Denmark

Policy pages

Privacy policy | GDPR | Cookies Terms of service

Special usage:

Video surveillance cloud storage

Tutorials

FTP 101 – Part 3: Authentication, is plain FTP secure?FTP 101 - part 2: FTP transfer types – ASCII vs. BinaryFTP 101 - part 1: Active vs passive connectionsHow to Create a Simple SFTP Backup Script Using SSH Keys Read all tutorials

Looking for an all-in-one time tracking, timesheet, and invoicing solution - visit our sister company Nureti at https://nureti.com.