Active FTP vs passive FTP

Active and passive are the two modes that FTP can run in. FTP is kind of a weird protocol because it use two ports, one for the command channel (by default TCP 21) and one for actual data transfer (TCP 20). It’s a nifty way of sending commands to the server without having to wait for the current data transfer to finish, but it’s make thing pretty difficult when you have NAT and firewall on the way.

Active mode

In active mode the client connects from a random unprivileged port (N > 1023) to the server’s command port (TCP 21). Then the client starts listening to port N+1 and sends the FTP command PORT N+1 to the server. The server will connect “back” to the client’s specified data port from its local data port (TCP 20).

If both host are on the same network, this mode work great. If you have a firewall and/or a router on the way, that a different story. For a firewall/router it appear that an outside host is initiating a connection to an “internal” client which is generally forbidden. And even if it wasn’t forbidden, the router doing NAT doesn’t have any idea to which host forwarding the connection.

Passive mode

In passive mode the client is responsible for initiating both connections to the server, solving the problem of firewalls/routers filtering. It work like this: when opening an FTP connection the client opens two random unprivileged ports locally (N > 1023 and N+1). Then it contact the server on port TCP 21, but instead of issuing a PORT N+1 command it use the PASV command. In respond the server opens a random unprivileged port (P > 1023) and sends the port number back to the client. Then the client initiates the second connection from its second port (N+1) to the specified server’s data port (P).

Which mode should i use ?

Short anwser: passive mode. There are three reasons for that:

  • pretty much everybody is doing NAT
  • many people use their web browser as an FTP client, and browsers only support passive mode
  • It’s true that passive mode opens up a whole new range of problems on the server side, but you are on the server side 😉

Further Reading and sources

[OpenSSL] Generate a self-signed SSL certificate

First let generate an RSA key for the server:

openssl genrsa -out server.key 2048

Next, for a “true” certificate, we must generate a certificate request (CSR).
But for a self-signed certificate, we can generate it directly like this:

openssl req -new -days 3650 -key server.key -out server.csr

Here we will generate a x509 certificate valid for ten year. You don’t have to respond to any question beside the “Common Name ( eg, YOUR name )“. Correct value is the domain name you are going to use the certificate for.