To understand why this happens, you need to understand the difference between Active and Passive FTP; which is how the data collection is established between the FTP client and the server.
With active FTP, the client initiates a connection from a random ephemeral port (M > 1023) to the FTP server’s port 21 (the control port); which is the same in both active and passive modes. The server then initiates the data connection from its own port 20 to the client’s provided ephemeral port. The potential issue with this is because the server needs to initiate a connection back to the client on a random port, this can cause issues when firewalls and NAT are in place, as they may block the incoming connection.
With passive FTP, the client initiates a connection from a random ephemeral port to the server's port 21 (same as Active FTP); where it requests the server to enter Passive mode using the PASV command. The server then opens a random ephemeral port (M > 1023) and provides that port number to the client. The client initiates the data connection to the server’s provided ephemeral port. The benefit to this is that because the client initiates both the control and data connections which works better with firewall and NAT as it avoids the need for the server to establish a connection to the client.
Key Differences:
Active FTP | Passive FTP | |
Control Connection | Client (ephemeral port) → Server (port 21) | Client (ephemeral port) → Server (port 21) |
Data Connection | Server (port 20) → Client (ephemeral port) | Client (ephemeral port) → Server (ephemeral port) |
Who Initiates Data | Server initiates data connection to client | Client initiates data connection to server |
Firewall/NAT Impact | May have issues due to server-initiated connection | Easier with firewalls as client initiates connections |
Usage | Historically the default mode for FTP | Preferred in modern networks, especially with firewalls |
To allow passive FTP through a Windows firewall, you can:
- Go to Control Panel
- Select System & Security
- Select Windows Firewall
- Go to Advanced Settings
- Click Inbound Rules on the left
- Click New Rule on the right
- Choose Port for your rule type
- Click Next
- Select TCP at the top of the next box
- Passive FTP requires two firewall rules to function properly:
- The firewall must allow connections on port 21
- The firewall must allow connections to the ephemeral ports used by the FTP application
- Check Allow the Connection
- Click Next
- Unless there is a reason for the rules to not apply in all three of these scenarios (Domain, Private and Public) leave all checked
- Click Next
- Enter a Name for the rule
- If desired add a Description
- If desired add a Description
- Click Finish
Note: For this to work you will also need to configure specific ranges of inbound passive ports on your FTP server and firewall.