A client behind a firewall that blocks all unsolicited incoming TCP connections tries to download a file using FTP in active mode. The transfer fails. What is the direct cause?
AActive mode uses UDP for data transfers, which firewalls always block
BIn active mode, the server initiates the data connection to the client's IP address and port — and the firewall blocks this incoming connection
CActive mode requires the client to open port 21, but the firewall only allows outbound connections on port 80
DThe FTP control connection was not established because port 21 is also blocked for incoming connections
Active mode's defining characteristic is that the server initiates the data connection: the client tells the server 'I'm listening on port X,' and the server opens a TCP connection from its port 20 to the client's specified port. From the firewall's perspective, this is an unsolicited incoming connection — a server on the internet trying to connect to an internal host — which modern firewalls block by default. Passive mode solves this by reversing the roles: the client initiates both connections, so no incoming connections are required.
Question 2 Multiple Choice
Why has SFTP largely replaced FTP in modern deployments rather than FTPS, despite FTPS also providing encryption?
ASFTP uses faster encryption algorithms than FTPS, making file transfers significantly quicker
BFTPS is not supported on Linux or Unix systems, limiting its deployment
CSFTP runs over a single SSH connection (simpler for firewalls, strong authentication built in), while FTPS preserves FTP's dual-connection architecture with added TLS overhead
DSFTP allows resuming interrupted transfers, while FTPS does not support this feature
FTPS adds TLS encryption to FTP's existing architecture, which means it still uses separate control and data connections — preserving all the firewall and NAT complications of FTP while adding certificate management overhead. SFTP, running as an SSH subsystem, uses a single encrypted connection for everything, inherits SSH's proven authentication (including public key auth), requires no special firewall configuration beyond the standard SSH port, and is available wherever SSH is installed. The single-connection architecture is the key practical advantage.
Question 3 True / False
In FTP passive mode, the client initiates both the control connection to port 21 and the data connection to a server-provided high-numbered port.
TTrue
FFalse
Answer: True
Passive mode was designed specifically to work through firewalls and NAT. The client opens the control connection to the server on port 21 (standard). When a data transfer is needed, the client sends a PASV command, and the server responds with an IP address and high-numbered port it is listening on. The client then opens the data connection outbound to that server port. Since the client initiates both connections, no incoming connections are needed on the client side — making passive mode work reliably through firewalls that block unsolicited inbound traffic.
Question 4 True / False
SFTP (SSH File Transfer Protocol) is an encrypted version of FTP that adds SSL/TLS security to the existing FTP control and data channels.
TTrue
FFalse
Answer: False
This describes FTPS, not SFTP. SFTP is an entirely different protocol that runs as a subsystem within SSH — it has no relationship to FTP beyond the name similarity and purpose. SFTP uses a single SSH-encrypted connection for all communication, while FTP (and FTPS) use separate control and data channels. FTPS (FTP over TLS/SSL) is the protocol that wraps FTP in encryption while preserving its dual-connection structure. The name confusion between SFTP and FTPS is one of the most common misconceptions in network administration.
Question 5 Short Answer
Explain why FTP's active mode causes problems with firewalls and NAT, and why passive mode solves this problem.
Think about your answer, then reveal below.
Model answer: In active mode, the client tells the server its IP address and a listening port via the PORT command, and the server then initiates a TCP data connection from its port 20 to the client's specified port. Firewalls block this because it appears to be an unsolicited incoming connection from an external server to an internal client — exactly the type of traffic firewalls are designed to prevent. NAT compounds the problem because the internal IP address the client reports in the PORT command is private and unreachable from outside the NAT. In passive mode, the roles reverse: the server advertises a port it will listen on (via PASV response), and the client initiates the data connection outbound. Since the client initiates both connections, both look like normal outbound traffic to the firewall and NAT — no incoming connections are required.
The root cause is that FTP was designed in the 1970s when the internet had end-to-end connectivity and no firewalls or NAT. Active mode assumes the server can reach the client directly — an assumption that breaks in any modern network with firewall protection. Passive mode works around this by making the client always be the initiator, which is compatible with the client-initiates-outbound-connections model that firewalls expect.