Fog Creek Software
Discussion Board




FTP mode (passive or not) for application?

Hi -

I am developing an FTP client application for my customer.

The FTP function will be resold to their own non-technical customers embedded in a commercial, mass marketed software package.

I would like to get a handle on the best "style" of FTP to support - passive or non-passive. I am not well acquainted with the RFC's because the FTP components I am using appear to be adequate. (ok, flog me for ignorance.)

The main manifestation of using non-passive FTP where it is not appropriate (IE, a firewalled workstation) is that the FTP transfer freezes.  I realize that I could have the user make a choice, but I'd rather choose "for" the user and choose a value that is workable in the vast majority of environments. This appears to point toward selecting passive FTP as the default, but I am not aware of any problem with doing so.

The platform is as follows:

Custumer-side:
Windows - 98, 2K, XP
Delphi 7+Indy 9 components

Server-side: FreeBSD (as a hosted virtual account) running Pure-Ftpd.

Users will upload as well as download files.

Thanks for any input on problems with making passive FTP a default choice given this target environment.

Bored Bystander
Thursday, September 11, 2003

Passive is the "safe" way to do things. Most FTP server configuration will allow Passive FTP. In some rare case they don't. Keep in mind that you have more chance to have the client behind a firewall than the server not allowing passive mode.

Pierre-Luc
Thursday, September 11, 2003

FTP is not really safe, but if you are planning to pipe it over SSL that's another story.

Anonymous
Thursday, September 11, 2003

There's some bizarre FUD among sysadmins that Passive FTP is "less secure" than Active, so I'd have to strongly suggest allowing both, default to one, and make your #1 troubleshooting FAQ be to try the other.

Philo

Philo
Thursday, September 11, 2003

Pierre-Luc: so you're saying that it's really the server's capabilities that is the ultimate constraint on selecting passive FTP? If so, this is good news, since passive FTP works fine with my Pureftpd configuration.

Bored Bystander
Thursday, September 11, 2003

use both, its almost no harder to implement and it covers all your bases.

FullNameRequired
Thursday, September 11, 2003

So if I allowed both, how would I select which to use for the customer at run-time?  And I do *not* want to rely on the user's judgement (this is a package for CPA's, not geeks.)

Bored Bystander
Thursday, September 11, 2003

More: the issue isn't that it's "hard" to provide a way to select it, it's that I don't know how to ensure that the user will get it right.

Bored Bystander
Thursday, September 11, 2003

I think the best you can do to be foolproof is turn on passive by default, and give them a mostly buried option to turn it off. Maybe lead them there via trouble-shooting ("Having problems sending files? Click here for more information"). For that matter, you might even be able to figure out if they're having problems, and try turning it off automatically.

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, September 11, 2003

In our experience supporting CityDesk you MUST support both, and Passive is the best default.

Joel Spolsky
Thursday, September 11, 2003

Thanks, Brad, & Joel. I'll do that.

Bored Bystander
Thursday, September 11, 2003

Do you even have to make it a selectable option?  If the server doesn't support passive mode the PASV command will fail and then you default to Active.

Almost Anonymous
Thursday, September 11, 2003

I've found that devices in-between can sometimes cause PASV to fail. Believe it or not, the NAT at my ISP (before we got an exposed, static address) more or less horked on passive transfers, even though the FTP server supported.

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, September 11, 2003

SmartFTP has an option to deal with those NAT problems. Actually, I found it to be the most reliable and versatile ftp client so far - and it's free.

Did I mention it supports Secure FTP (ftps://), too?

Johnny Bravo
Thursday, September 11, 2003

The usual reason PASV or non-PASV ftp doesn't work is because a firewall or packet filter somewhere is dropping packets. This almost always means that the way ftp fails is to stare at you for about 60 seconds and then, maybe, if you're lucky, gracefully fail. You don't find out right away that PASV failed. So an automated "use-PASV-and-failback-to-normal" is, unfortunately, impossible.

Joel Spolsky
Thursday, September 11, 2003

Maybe don't use FTP at all?  CPAs i would imagine won't be using ftp as ftp  If you just want to transfer files do it yourself.

paraclese
Saturday, September 13, 2003

If you need download only (or if the uploads will be relatively small), consider just using HTTP GET and POST for the job.  Nearly all firewalls are going to let your traffic through without a problem there....

Gary Pupurs
Sunday, September 14, 2003

*  Recent Topics

*  Fog Creek Home