A file transfer protocol (FTP) port is the numbered gateway through which FTP traffic moves between client and server hosts during a file transfer. By default, port 21 carries the control channel, which delivers user credentials and commands. Port 20 carries data in traditional active mode, while passive mode shifts data to a high-numbered temporary port chosen by the server and reported to the client with the PASV reply.
Administrators can forward, remap or restrict FTP ports based on their internal security requirements, and they may choose different numbers or ranges for any number of reasons, such as improved security, the use of a reverse proxy server or traffic volume.
What is port 21 (FTP control channel)?
Port 21 is the default transmission control protocol (TCP) endpoint that initiates the FTP control channel. This control channel carries credentials and commands from the client, along with numeric status codes from the server.
Port 21 also:
- Accepts session commands such as USER, PASS, RETR, STOR and QUIT
- Can be limited to known client networks to reduce scanning and brute force attempts
- Carries server replies with codes like 220 service ready or 331 password required
- Coordinates TLS setup through the AUTH and PROT commands when FTPS is in use
- Maintains keep-alive messages so long jobs, such as batch scripts, do not time out
Port 20 (data channel)
Port 20 is the default FTP data channel that’s used when a file transfer client selects active mode. After a RETR or STOR command, the server initiates an outbound TCP connection from port 20 to the client-specified port and then streams the file payload. Some applications still rely on this fixed mapping for batch jobs and legacy scripts, which makes explicit firewall rules essential.
Port 20 also:
- Is not used in passive mode, which shifts data to high-numbered temporary ports
- Opens only after the control channel completes the command
- Originates from server to client address, so stateful firewalls must allow outbound tasks
- Uses a reserved TCP port for active mode file transfer
- Uses the same session for ASCII and binary transfers without multiplexing
How does passive FTP affect FTP ports?
Passive FTP reverses the file transfer data connection flow to simplify firewall traversal. After the client sends a PASV command, the server answers with an IP address and a high-numbered TCP port and waits for the client to open that socket.
Because both control and data streams now start from the client, outbound rules remain consistent across NAT devices. Administrators can also narrow the passive port range to cut exposure and sharpen intrusion alerts.
Passive FTP:
- Helps NAT devices avoid reverse path breaks
- Is preferred by browsers and many automated scripts
- Relies on high ports that can be restricted to a defined range
- Secures both the command and data channels when TLS or SSL is enabled
- Uses outbound client sessions, so DMZ firewalls don’t need inbound rules
How does active FTP use FTP ports?
Active FTP allows the client to choose the data port. After logging in on port 21, the client sends a PORT command that lists its IP and a high-numbered port on which to receive data. The server then opens a TCP session from its port 20 to the client address and sends the file.
Firewalls often block this type of connection, so administrators must set rules or helpers that bind the control and data streams. IT teams still select active mode on closed networks to keep transfer ports predictable and to avoid exposing broad passive ranges on the server, but it’s not as common as active mode.
Some factors to consider when using active FTP ports include:
- Control channels will stay open for status updates
- Stateful devices may need helpers to match both streams
- The client firewall must allow inbound connection attempts
- The server sends data from port 20 to the client’s high-numbered port
As a result, most users find that active FTP is best for scripted jobs inside trusted sites.
FTP port security
Because FTP predates modern defense models, exposed FTP ports frequently receive brute force and enumeration attacks.
Hardening FTP ports often requires encryption, segregation and vigilant policies such as:
- Deploying port-knock or adaptive filters to drop high-volume scans
- Enabling account lockout after failed logins to curb credential stuffing
- Forwarding bind connection logs to a SIEM for real-time correlation
- Requiring TLS on port 21 with PROT P to encrypt commands and payloads
- Restricting passive ports to a documented narrow block in the firewall policy
Your organization should consistently review these measures to keep FTP traffic aligned with security mandates and resistant to common network threats.
FTP port FAQs
Port 21 serves as the control channel for FTP. It is used by the client to connect to the server. The client also uses it to send login details and file commands. The server replies with status messages through the same port.
Port 20 is used only in active FTP mode. The client sends a PORT command to the server. The server then opens a TCP connection from its own port 20. It sends the file data to the client’s selected high port.
In passive mode, the server picks a random high port for data transfer. Port 20 is not used in this case. This split between control and data channels helps with firewall settings. It also lets administrators manage bandwidth for each path.
FTP port 21 uses TCP. The client opens a TCP connection to the server on this port, issues commands such as USER or STOR and keeps the link active until the transfer session ends. TCP’s ordered delivery and built-in recovery features maintain control traffic even when packets drop or arrive out of sequence.
User datagram protocol (UDP) is a separate data transfer protocol used in various other file transfer applications. It can be configured to use several different ports.
Ports 80 and 443 use TCP for standard web traffic. Port 80 carries HTTP while port 443 carries HTTPS, relying on TCP’s handshake and sequence control to deliver pages and files without loss or reordering.
UDP is only optional on port 443 when a server and client negotiate HTTP/3 with QUIC. Port 80 doesn’t have a common UDP service. Firewalls that allow web browsing should permit inbound TCP 80 and 443 to servers and outbound TCP to clients, which blocks unsolicited UDP unless the environment explicitly supports QUIC.
