FTP Active vs Passive

People sometimes run into difficulty when setting up an FTP Server behind a Firewall or Router. In order to understand the potential issues, it first helps to understand the difference between Active and Passive FTP.

“FTP can be run in active or passive mode, which determines how the data connection is established. In active mode, the client sends the server the IP address and port number on which the client will listen, and the server initiates the TCP connection. In situations where the client is behind a firewall and unable to accept incoming TCP connections, passive mode may be used. In this mode the client sends a PASV command to the server and receives an IP address and port number in return. The client uses these to open the data connection to the server.”

So Passive FTP is needed when the client is connecting from behind a NAT router, but what if the server is behind a NAT router as well? Two solutions:

1) Setup your FTP Server application to be aware of its public IP AND use a custom port range for Passive FTP connections. Then configure the server firewall to allow these known port ranges as well as port 21 for the control connection.

2) If the server firewall features an FTP ALG (application-level gateway), the firewall simply needs to be configured to forward 21 to the proper internal IP. The remainder of work (translating internal IP to public IP and poking firewall holes for the server’s ports it responded with for data connections) is all handled automatically by the FTP ALG functionality. I’ve found that the inclusion of an FTP ALG in a device varies widely. For example, I know from experience that Verizon FIOS residential routers do have this functionality while I've encountered some high-end commercial and industrial routers that do not.