Articles

FTP Active vs Passive Mode: Which to Use and When (2026)

April 18, 2026 4 min read

FTP active and passive modes are two fundamentally different ways the client and server establish a data connection for transferring files.

Let’s watch it in action. Imagine you’re on your local machine (client) and want to connect to a remote FTP server (server).

First, the control connection:

$ ftp ftp.example.com
Connected to ftp.example.com.
220 (vsFTPd 3.0.3)
Name (ftp.example.com:user): anonymous
331 Anonymous access allowed, send mail as explanation.
Password:
230 Anonymous access granted, restrictions apply.
ftp>

Now, the data connection is where active and passive modes diverge.

Active Mode

In active mode, the client initiates the control connection and then tells the server on which port it’s listening for the data connection. The server then actively connects back to the client on that specified port.

  1. Client: Establishes control connection to server’s port 21.
  2. Client: Sends PORT command, e.g., PORT 192.168.1.100,5,67 (IP address and two port bytes). This tells the server the client is listening on 192.168.1.100 on port (5 * 256) + 67 = 1283.
  3. Server: Initiates a new connection from its port 20 back to the client’s specified data port (1283 in this example).
  4. Data Transfer: Happens over this server-initiated connection.

Passive Mode

In passive mode, the client initiates the control connection and then asks the server to listen on a specific port for the data connection. The server opens a port and tells the client its IP and port, and the client then connects to the server on that port.

  1. Client: Establishes control connection to server’s port 21.
  2. Client: Sends PASV command.
  3. Server: Opens a random port (e.g., 49152) and responds with 227 Entering Passive Mode (192.168.1.200,192,100). This tells the client to connect to 192.168.1.200 on port (192 * 256) + 100 = 49152.
  4. Client: Initiates a new connection from its own machine to the server’s specified data port (49152 in this example).
  5. Data Transfer: Happens over this client-initiated connection.

The core problem FTP solves is reliable, structured file transfer over an unreliable network. It separates command and control from the actual data stream. The choice between active and passive mode is almost entirely about network topology and firewall traversal.

If your client is behind a strict firewall (common in corporate networks or home routers), and the firewall only allows outbound connections initiated by the client, active mode will likely fail. The server trying to initiate an inbound connection back to your client will be blocked. Passive mode, where the client initiates both the control and data connections, is usually the solution.

Conversely, if the server is behind a strict firewall, and only specific inbound ports are allowed (e.g., port 21 for control), active mode might be necessary if the server’s firewall is configured to allow outbound connections from port 20. However, most modern FTP servers are configured to handle passive mode requests by opening ports in a defined range that the firewall can allow.

The most surprising true thing about FTP’s dual-mode nature is that it was designed before modern, stateful firewalls were commonplace. The PORT command in active mode essentially tells the firewall, "Hey, I’m expecting a connection from IP X on port Y for this FTP session." Modern firewalls are much more sophisticated and often block this implicitly.

Here’s a typical vsFTPd configuration snippet for passive mode:

# /etc/vsftpd.conf
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000
pasv_address=192.168.1.200

This tells vsFTPd to listen for passive mode connections, use ports between 40000 and 50000, and specifies the public IP address the clients should connect to for the data channel. Your firewall would need to allow inbound connections to this range of ports on the server.

When you’re on a client machine and type ftp -p ftp.example.com, the -p flag tells your FTP client to use passive mode by default. If you omit it, it will likely try active mode. Most modern FTP clients default to passive mode because it’s more likely to work across various network configurations.

The next concept you’ll grapple with is SFTP, which is a completely different protocol that runs over SSH, solving many of FTP’s security and firewall traversal issues in one go.

Want structured learning?

Take the full Ftp course →