Why You Should Configure a Passive Port Range in VSFTPD

In active FTP, the client connects to the server using FTP port 21, after which the server opens a random high port for the data connection and tells the client to connect to that.

But if the client-side has a firewall (e.g., Windows Firewall), the firewall will most likely block the incoming data connection from the server because the client firewall blocks incoming connections that are not initiated by the client.

Passive FTP solves this problem. In the Passive mode the client initiates both the control and data connections. When a client requests data in passive mode, your vsftpd server opens a port within a defined range and tells the client which port to connect to. Since the client is initiating the connection, it's far more likely to pass through their firewall.

Example of Configuration

In vsftpd.conf, you can specify:

pasv_enable=YES
pasv_min_port=30000
pasv_max_port=31000

After setting the passive port range, you need to open the port range from the server's firewall if the server is behind a firewall.

How to Configure FTP Server on Ubuntu 24