LiveChat 
Support 
FTP Ports Explained: Port 21, 20, Passive Range, SFTP & FTPS
If you have ever configured a file transfer client, opened a firewall rule, or debugged a connection that authenticates but then hangs forever on a directory listing, you have run into the world of FTP ports. FTP looks simple on the surface, but it is one of the few protocols that uses two separate connections to do its job, and that design is the root of most confusion and most connectivity failures.
This guide explains exactly which ports FTP and its secure relatives use, why active mode and passive mode behave so differently, and how SFTP and FTPS fit into the picture. By the end, you will know precisely what to open on a firewall and which protocol to prefer.
Key Takeaways
• The FTP control channel always runs on port 21 — this is the connection your client connects to.
• FTP uses a separate data connection for file transfers and listings, and that is where ports get complicated.
• Active mode uses port 20 and has the server connect back to the client; it breaks behind NAT and firewalls.
• Passive mode uses a range of high ports the server opens; it is firewall-friendly and the modern default.
• SFTP uses port 22 (over SSH) and FTPS uses port 990 (implicit) or port 21 with AUTH TLS (explicit).
• For security, always prefer SFTP or FTPS — plain FTP is unencrypted.
What ports does FTP actually use?
The classic File Transfer Protocol (FTP) is unusual because it does not move data over a single port. It splits the work into two channels:
- A control channel (also called the command channel), which carries your login, commands, and server responses.
- A data channel, which carries the actual file contents and directory listings.
The control channel is predictable. The data channel is the part that depends on whether you are using active or passive mode. Here is the full picture for FTP and its secure variants.
| Protocol / Channel | Port | Role |
|---|---|---|
| FTP control (command) | 21 | The connection your client connects to; carries commands and responses |
| FTP active-mode data | 20 | Data channel in active mode; server connects back to the client |
| FTP passive-mode data | High port range (e.g. 49152–65535) | Data channel in passive mode; server opens a port from a configured range |
| SFTP (SSH File Transfer) | 22 | Secure transfer over SSH; single port for commands and data |
| FTPS implicit (FTP over TLS) | 990 | TLS encryption negotiated immediately on connect |
| FTPS explicit (FTP over TLS) | 21 | Plain FTP port; upgrades to TLS via the AUTH TLS command |
The single most important takeaway from this table: port 21 is constant, but the data port is not. Understanding that split is the key to everything else.
Why does FTP use two ports instead of one?
When you connect to an FTP server, your client opens a connection to port 21. That control channel stays open for the whole session and carries text commands like `USER`, `PASS`, `LIST`, and `RETR`, along with the server’s numeric responses.
But the actual file data — the contents of a download, an upload, or a directory listing — travels over a second, separate connection. This is a design decision from FTP’s earliest days, and it is why a session can log in perfectly (control channel works) yet stall the moment you try to list files (data channel is blocked).
The crucial question is: who opens the data connection, and on which port? The answer is determined by whether the session runs in active or passive mode.
What is the difference between active and passive FTP?
This is the heart of nearly every FTP connectivity problem, so it is worth being precise.
Active mode (the server connects back)
In active mode, the client tells the server which port it is listening on, and the server initiates the data connection back to the client — traditionally from port 20.
The problem: most clients today sit behind a router, NAT, or firewall. When the server tries to connect back to the client, that inbound connection is usually blocked or has nowhere to route to. Active mode therefore breaks behind NAT and firewalls, which describes almost every home and office network. Active mode is largely a legacy of an era when clients had public IP addresses and few firewalls.
Passive mode (the client opens both connections)
In passive mode, the roles flip. The client asks the server to listen, the server opens a port from a configured high-port range and announces it, and the client initiates the data connection to that port.
Because the client opens *both* connections (control and data) as outbound traffic, passive mode is firewall-friendly and works cleanly through NAT. This is why passive mode is the modern default in virtually every FTP client and library.
The #1 source of FTP confusion is the data port, not the control port. Control is always 21 — that part rarely fails. What differs is the data connection. In active mode the *server* connects back to the client (port 20), which breaks behind NAT and firewalls. In passive mode the server opens a port from a high range and the *client* connects to it, which is firewall-friendly. So when you see the classic symptom — FTP logs in successfully but the directory listing hangs and then times out — it is almost never a credentials or port-21 problem. It is almost always a passive-range or firewall issue: the high data ports the server needs are not open or not reachable. Switch the client to passive mode and ensure the server’s passive range is allowed through the firewall, and the hang disappears.
What is the passive port range and why must it be open?
In passive mode, the server does not use one fixed data port — it picks one from a configured range of high ports (often something like 49152–65535, though administrators set the exact range). For passive FTP to work end to end, two things must be true:
- The firewall in front of the server must allow inbound connections to that entire passive range, not just port 21.
- If the server is behind NAT, it must be configured to announce its public IP so clients connect to the right address.
This is why opening only port 21 is a common and frustrating mistake. The control channel comes up, login succeeds, and then every data operation stalls because the passive range is closed. The passive range must be open for transfers and listings to complete.
How are SFTP and FTPS different from FTP?
Plain FTP — whether active or passive — sends your credentials and data unencrypted. For any real-world use, you should prefer a secure protocol. There are two, and they are easy to confuse despite working very differently.
SFTP — port 22
SFTP (SSH File Transfer Protocol) is not FTP at all. It is a completely different protocol that runs over SSH on port 22. Because it tunnels everything through a single SSH connection, SFTP uses one port for both commands and data — there is no separate data channel and no passive range to worry about. That single-port design makes SFTP dramatically simpler to firewall, and it is encrypted by default. For most modern hosting and server access, SFTP is the cleanest secure choice.
FTPS — port 990 or port 21
FTPS (FTP over SSL/TLS) is genuine FTP with a TLS encryption layer added. It comes in two flavors:
- Implicit FTPS negotiates TLS immediately on connection, traditionally over port 990.
- Explicit FTPS starts as a normal FTP connection on port 21, then issues an `AUTH TLS` command to upgrade the session to encryption.
FTPS keeps FTP’s two-connection model, so it still relies on a passive port range for data, just like plain FTP. That makes it more firewall-sensitive than SFTP, though it remains a solid, widely supported secure option.
Why do FTP ports matter for firewalls and developers?
Ports matter because firewall configuration is where FTP succeeds or fails. Knowing the model tells you exactly what to allow:
- For plain or explicit FTP/FTPS: open port 21 *and* the passive data range.
- For implicit FTPS: open port 990 *and* the passive range.
- For SFTP: open just port 22 — clean and simple.
A note for developers
If you build software that transfers files — for example using a client library, a command-line tool, or .NET’s `FtpWebRequest` class — the same rules apply under the hood. Such clients connect on port 21 for the control channel and then negotiate a data port for the transfer. By default many libraries use active mode, which fails behind NAT. The fix is almost always the same: enable passive mode. In `FtpWebRequest`, for instance, that means setting the request to use passive behavior so the client opens the data connection outbound rather than waiting for the server to connect back. If your code authenticates but hangs on listing or downloading, switch to passive mode first — it resolves the overwhelming majority of these cases. Where security matters, prefer an SFTP or FTPS library over plain FTP.
Hosting with FTP, SFTP & FTPS configured correctly — DarazHost
Most FTP headaches come down to ports that were never opened correctly. DarazHost hosting plans ship with file transfer access set up the right way out of the box: the control channel and passive data range are open, and secure SFTP is available so your transfers just work without manual firewall wrangling. You get reliable hosting built for everyday file management, plus 24/7 support that can walk you through FTP, SFTP, or FTPS setup whenever you need it — whether you are uploading a website, deploying assets, or wiring up an automated transfer script. If you want file transfers that connect on the first try, DarazHost makes the port configuration our problem, not yours.
How do I fix an FTP connection that hangs on listing?
Because this is the most common FTP problem, here is the short troubleshooting path:
- Switch your client to passive mode. This alone fixes most hangs behind NAT or a firewall.
- Confirm the passive range is open on the server’s firewall, not just port 21.
- Check the server announces its correct public IP if it sits behind NAT.
- Prefer SFTP (port 22) when you can — its single-port design sidesteps passive-range issues entirely.
Frequently asked questions
What is the default FTP port? The default FTP control port is 21. This is the port your client connects to for commands and authentication. The data connection uses a separate port — port 20 in active mode, or a port from a configured high range in passive mode.
What port does SFTP use, and is it the same as FTP? SFTP uses port 22. It is *not* the same as FTP — SFTP is a different protocol that runs over SSH, encrypts everything by default, and uses a single port for both commands and data. FTP and FTPS, by contrast, use port 21 plus a separate data channel.
What is the difference between FTPS and SFTP? FTPS is traditional FTP with a TLS encryption layer, using port 990 (implicit) or port 21 with AUTH TLS (explicit), and it still needs a passive data range. SFTP runs over SSH on port 22 with a single connection. Both are secure; SFTP is generally simpler to firewall.
Why does my FTP connection log in but then time out on the file list? This classic symptom is almost always a passive-mode or firewall issue with the data port, not a problem with port 21. Switch your client to passive mode and make sure the server’s passive port range is open through the firewall.
Should I use active or passive FTP mode? Use passive mode in almost all cases. The client opens both connections outbound, which works through NAT and firewalls. Active mode requires the server to connect back to your client, which most modern networks block.
