Both types of connection start with the client opening a connection to the server (usually on port 21). This connection is used to control the FTP session. Any data transferred (files uploaded/downloaded or directory listings being returned) are sent in a separate data connection.
In active mode, the client picks an unused port and starts listening for incoming connections. It sends the server a “PORT” command, containing the port and IP address that the server should connect to in order to exchange data.
To use passive mode, the client sends the command “PASV”, to which the server responds with an IP address and port. The client then initiates a new connection to this address. To initiate a passive mode connection in ODEX (as a client), check the “passive mode” box against the trading partner network. To accept passive mode connections (as a server), check the “passive mode” box against the FTP Server subsystem.
FTP causes problems for firewalls because it uses secondary connections after the initial connection and uses a random port number, so the firewall cannot be preconfigured to simply allow access based on the port number. It also causes confusion because most firewalls use Network Address Translation (NAT) to convert between internal LAN addresses and external Internet addresses. When an FTP application sends a “PORT” command or responds to a “PASV” command, it will return its LAN address, not the actual Internet that the remote party should be connecting to. However, when using passive mode in ODEX it is possible to specify the external IP address against the subsystem.
Firewalls get around these problems in a variety of ways. Most will at least be able to handle the secondary connection by detecting that the incoming connection is FTP (based on the port being 21) and then allowing any subsequent connection on any port.
More advanced firewalls will recognise the FTP protocol and, by checking the content of the “PORT” command and the response to the “PASV” command, it will know which port to allow. Firewalls may optionally be able to convert between the internal and external IP addresses.
Generally, passive mode is the best option, as this minimises the configuration required at the client side. If your firewall allows outbound connections on any port, then no other changes are required.
If a non-standard port is being used, then firewalls may not detect that the connection is an FTP session, and so would need additional configuration.