FTP Active vs passive mode

ftp

If you check the official specification of the File Transfer Protocol, you'll find that:

FTP can be run in active mode or passive mode, which control how the second connection is opened. In active mode the client sends the server the IP address port number that the client will use for the data connection, and the server opens the connection. Passive mode was devised for use where the client is behind a firewall and unable to accept incoming TCP connections. The server sends the client an IP address and port number and the client opens the connection to the server. Both modes were updated in September 1998 to add support for IPv6 and made some other changes to passive mode, making it extended passive mode.

So, my first thought is that there's something wrong with your folder permissions. Double check them.


I'm guessing that the first file was small enough to be acceptable to transfer on the same connection, but that the second file was larger.


Although unlikely in this case another conceivable problem you may have is your client's firewall. Active FTP requires that the client open a TCP port to which the server connects for file transfer.

It is possible that the client's firewall has one extended port accessible but no more so the first file is allowed through that first port and not through any other extended ports (clients tend to allocate TCP ports in an incremental fashion).

Now with passive FTP the server allocates the TCP ports for transfer and the client connects to the server. In this case the client firewall can no longer cause much trouble because the client is connecting to the outside world (firewalls protect the outside world from connecting to within the firewall).

Almost always I find that switching from a broken active mode to a working passive mode indicates firewall problems.

Now for a diagram:


Active FTP

  client:n ---RETR portnum1---> server:21
  client:portnum1 <---fetches-- server:m1

  client:n ---RETR portnum2---> server:21
  client:portnum2 <---fetches-- server:m2

Passive FTP

  client:n ---PASV request----> server:21
  client:n <--PORT portnum1---- server:21
  client:n2 --fetches---------> server:portnum1

  client:n ---PASV request----> server:21
  client:n <--PORT portnum2---- server:21
  client:n3 --fetches---------> server:portnum2

Note that port 21 is the command channel. This is where instructions get sent to/from. Other ports are used for actual data transfer.

Related

Migrate from Exchange 2010 to Exchange 2016
DNS resolve timeout on RHEL 6.3 behind firewall
Is it possible to add a local user to the admins group through group policy?
bind9 in a chroot jail - necessary or not?
How can we open our firewall to allow Google Analytics?
Testing nameserver configuration using it
Possibility of WAN Optimization for SSH traffic
Is there a sensible way of 'teaming' two ADSL connections?
postfix discard or change Message-ID header based on another header line
IIS 6 - Setting up 301 redirect for non-www to www for SEO
Nginx - Redirect based on query string parameters
Directing DNS to different ports