FTP passive mode firewall issues
Why FTP PASV fails behind firewalls/NAT and how to configure passive ports correctly.
Diagnose this automatically
Test whether the server allows directory listing with valid credentials.
Shareable output
Prefer the browser? Run the same check on the homepage.
FTP uses separate control + data channels. Passive mode requires a range of server ports to be open.
Many “can login but cannot list” failures are passive-mode port issues.
Symptoms
- Auth succeeds but LIST hangs or times out
- Data connection errors after PASV response
- Works on LAN but fails from outside network
Fix checklist
- Configure a fixed passive port range on the server.
- Open that passive range in the firewall/security group.
- Ensure the server advertises the correct public IP in PASV responses (NAT).
- If possible, prefer SFTP to avoid FTP data-channel complexity.
Quick tests
lftp -e 'set ftp:passive-mode true; ls; quit' -u user,pass <host>Related
- FTP data connection failed — Why FTP data connections fail and how to troubleshoot passive and active data channel issues.
- FTP directory listing timeout — Why FTP directory listings hang or timeout and how to resolve passive mode firewall problems.
- FTP passive mode not working — Why FTP passive mode fails and how to configure passive ports and NAT correctly.
- FTP EPSV error — Understanding FTP EPSV errors and how to resolve extended passive mode problems.
- FTP timeout during transfer — Why FTP transfers timeout and how to fix idle timeout or firewall issues.
- FTP transfer stalls — Why FTP transfers stall mid-transfer and how to troubleshoot data channel issues.
Diagnostics powered by FTPMonitor CLI