It is important to understand the basics of the FTP protocol in order to configure FileZilla/FileZilla Pro, firewalls and routers. Setting up the network components for FTP outside a local area network (LAN) might be non trivial.
Read below to learn more.
Background
What distinguishes FTP from most other protocols is the use of secondary connections for file transfers.
When you connect to an FTP server, you are actually making two connections.
First, the control connection is established, over which FTP commands and their replies are transferred.
Then, in order to transfer a file or a directory listing, the client sends a particular command over the control connection to establish the data connection.
The data connection can be established in two different ways, using active mode or passive mode.
In passive mode, which is the recommended, FileZilla/FileZilla Pro sends the PASV command to the server, and the server responds with an address. FileZilla Pro then issues a command to transfer a file or to get a directory listing, and establishes a secondary connection to the address returned by the server.
In active mode, FileZilla/FileZilla Pro opens a socket on the local machine and tells its address to the server using the PORT command. Once FileZilla Pro issues a command to transfer a file or listing, the server will connect to the provided address. In both cases, the required file or listing gets transferred over the data connection.
Generally, establishing outgoing connections requires little or no configuration of the involved routers/firewalls compared to allowing incoming connections.
In passive mode, the connection is outgoing on the client side and incoming on the server side.
In active mode this is reversed. Note that the only difference is how the connection gets established.
Once established, the connection can be used both for uploads or downloads.
A common network setup might look like this:
In passive mode, the involved routers and firewalls on the server side need to be configured to accept and forward incoming connections. On the client side, however, only outgoing connections need to be allowed (which will be the case most of the times).
Analogously, in active mode, the router and firewall on the client side need to be configured to accept and forward incoming connections. Only outgoing connections have to be allowed on the server side.
Since in most cases one server provides a service for many users, it is much easier to use the passive mode and configure the router and firewall only once than use the active mode and configure the client’s router/firewall for each individual client. Therefore, passive mode is recommended in most cases.