Articles

Configure NAT and Firewall Rules for FTP Passive Mode (2026)

April 18, 2026 8 min read

FTP passive mode is a sneaky beast, and its configuration often trips up even experienced network engineers because it flips the direction of the data connection, making standard firewall and NAT rules behave unexpectedly.

Let’s see it in action. Imagine a client on the internet trying to connect to an FTP server behind a NAT device.

Client Side (e.g., ftp command in Linux):

ftp ftp.example.com
# Enter username and password

# After authentication, try listing files
ls

Server Side (e.g., vsftpd on Linux):

When the client initiates an ls command, the server doesn’t initiate the data connection back to the client’s control port. Instead, it tells the client: "Hey, I’m opening a data port at 20012 (or some other high port), you connect to me there."

Server Logs (e.g., vsftpd.log):

[date] [time] [PID] [CLIENT_IP]:21 -> [SERVER_IP]:21 (USER anonymous)
[date] [time] [PID] [CLIENT_IP]:21 -> [SERVER_IP]:21 (PASS anonymous)
[date] [time] [PID] [CLIENT_IP]:21 -> [SERVER_IP]:21 (PASV)
[date] [time] [PID] [SERVER_IP]:21 -> [CLIENT_IP]:21 (227 Entering Passive Mode (SERVER_EXTERNAL_IP,200,12))
[date] [time] [PID] [CLIENT_IP]:34567 -> [SERVER_IP]:20012 (LIST)

Notice how the LIST command originates from a high port on the client (34567) and connects to a high port on the server (20012). This is the "passive" part. The client initiates the data connection.

The problem is that firewalls and NAT devices are usually configured to expect the server to initiate outbound connections for data, or they might not correctly translate the server’s advertised passive port (SERVER_EXTERNAL_IP,200,12) to the actual internal IP and port where the FTP server is listening.

The Core Problem: State Tracking and Port Mapping

Traditional stateful firewalls track TCP connections. When the FTP control connection (port 21) is established, the firewall allows traffic on that port. However, when the server, in passive mode, sends back the 227 Entering Passive Mode message, it includes the server’s external IP address and a high port number that the client should connect to for data.

  1. NAT Translation: If the FTP server is behind NAT, the server’s internal IP address is not directly reachable from the internet. The NAT device translates the server’s internal IP to its own external IP. The 227 message, however, contains the external IP address. The NAT device needs to be aware of this and translate the data connection destination port as well.
  2. Firewall Rules: The firewall sees the FTP control connection (port 21) coming in and going out. But when the server tells the client to connect to a new, high-numbered port (e.g., 20012), the firewall might not have a rule allowing this inbound connection on that specific high port, or it might not understand that this new connection is related to the existing FTP session.

Common Causes and Solutions

1. NAT Device Not Performing Port Translation for Passive Mode

  • Diagnosis: On your NAT device (router, firewall appliance), check its NAT configuration. Look for specific FTP ALG (Application Layer Gateway) settings or general passive FTP support. If you can simulate the PASV response manually or see the server’s response in logs, check if the IP address advertised by the server in the 227 message is the external IP of the NAT device, not the server’s internal IP.
  • Fix: Enable the FTP ALG or passive FTP support on your NAT device. For example, on Cisco ASA:
    policy-map global_policy
 class inspection_default
  inspect ftp
    On pfSense: Navigate to Firewall -> NAT -> Outbound and ensure your NAT rules are set to Automatic outbound NAT rule generation or manually created rules that cover the FTP server’s internal IP and port range. Look for a specific FTP proxy or ALG option in the firewall settings.
  • Why it works: The FTP ALG (or equivalent feature) inspects the FTP control traffic. When it sees the 227 Entering Passive Mode command, it rewrites the advertised IP address and port to match the NAT device’s external IP and the actual internal IP/port of the FTP server, ensuring the client connects to the correct destination through the NAT.

2. Firewall Blocking Inbound Data Connections on High Ports

  • Diagnosis: Examine your firewall rules. Are you explicitly allowing inbound traffic on port 21 for the FTP control channel? Do you have rules allowing inbound traffic on the range of high ports the FTP server will use for data? Often, a default-deny policy for unsolicited inbound traffic will block these.
  • Fix: Create a firewall rule to allow inbound TCP traffic on the FTP server’s external IP address to the range of ports the FTP server is configured to use for passive mode. For example, if your FTP server is configured to use ports 49152-65535 for passive mode:
    • iptables (Linux server acting as firewall):
      iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 49152:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
# Also need to allow established outbound from server on data ports
iptables -A OUTPUT -p tcp --dport 49152:65535 -m state --state ESTABLISHED -j ACCEPT
    • Firewall Appliance (Conceptual): Add a rule allowing TCP traffic from Any source to Your_FTP_Server_External_IP on destination port 49152-65535.
  • Why it works: This explicitly permits the inbound data connections from the client to the FTP server on the specific high ports designated for passive mode, bypassing the general inbound block.

3. FTP Server Configured with Wrong External IP Address

  • Diagnosis: Check your FTP server’s configuration file (e.g., /etc/vsftpd.conf for vsftpd). Look for directives related to passive mode and the server’s external IP. A common mistake is having the server advertise its internal IP address in the 227 response.
  • Fix: Configure the FTP server to advertise its correct external IP address.
    • vsftpd:
      # In vsftpd.conf
pasv_enable=YES
pasv_min_port=49152
pasv_max_port=65535
pasv_address=203.0.113.10  # Your FTP server's public IP address
    • ProFTPD:
      # In proftpd.conf
<PassivePorts 49152 65535>
<Global>
    PassivePorts 49152 65535
    ExternalBind '203.0.113.10'
</Global>
  • Why it works: By telling the FTP server its external IP, it can correctly embed this IP in the 227 message. When the NAT device or firewall sees this, it knows which external IP the client is supposed to connect to, and the ALG or firewall rule can then correctly map this to the internal server.

4. Incorrect Port Range Specified for Passive Mode

  • Diagnosis: The FTP server needs to bind to specific ports for passive data connections. If this range is too small or overlaps with other critical services, or if it’s not properly opened in the firewall, it will fail. Check your FTP server logs for errors like "Cannot bind to port X."
  • Fix: Define a sufficiently large, unused port range for passive mode in your FTP server’s configuration and ensure these ports are allowed through your firewall.
    • vsftpd:
      pasv_min_port=49152
pasv_max_port=65535
    • ProFTPD:
      <PassivePorts 49152 65535>
    Then, ensure your firewall allows inbound TCP on 49152:65535.
  • Why it works: This ensures the FTP server has available ports to listen on for incoming data connections and that these ports are explicitly permitted by network security devices.

5. FTP Client is Blocking Outbound Connections

  • Diagnosis: Less common, but the client machine itself might have a firewall or security software that blocks outbound connections on high ports. Check the client’s firewall logs if possible.
  • Fix: Adjust the client’s firewall rules to allow outbound TCP connections on the ports specified by the server in the 227 message. This is often handled automatically by common client firewalls, but custom configurations can cause issues.
  • Why it works: Enables the client to initiate the data connection as required by passive mode.

6. FTP Server is Behind a "Double NAT" or Complex Network Topology

  • Diagnosis: If the FTP server is not directly behind a single NAT device you control, but rather behind multiple layers of NAT (e.g., a home router feeding into a corporate router), troubleshooting becomes much harder. The PASV command might advertise an IP that is only reachable from one layer of NAT, but not the client’s.
  • Fix: This is the hardest to fix without re-architecting the network. Ideally, the FTP server should be placed in a DMZ or a network segment with a single, predictable NAT layer. If that’s not possible, you might need to configure port forwarding on each NAT device in the path, ensuring the passive port range is forwarded all the way to the FTP server’s internal IP.
  • Why it works: Ensures that the passive port connection initiated by the client can traverse all intervening network devices and reach the FTP server.

Once you’ve correctly configured your NAT device (often via an FTP ALG) and your firewall to allow inbound traffic on the passive port range, and ensured your FTP server is advertising the correct external IP, passive mode FTP should function.

The next challenge you might face is dealing with FTP over TLS/SSL (FTPS) in passive mode, which adds another layer of complexity regarding certificate management and port negotiation.

Want structured learning?

Take the full Ftp course →