FTP reply code 227 is the response to a PASV command, telling the client to connect to a specific IP and port for data transfers. The response format is 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2) where h1-h4 is the IP address and the port is calculated as p1*256+p2. Passive mode is essential for FTP through firewalls and NAT because the client initiates the data connection outbound (to the server) rather than the server connecting back to the client (active mode). Most modern FTP clients use passive mode by default. If the IP in the 227 response is a private IP (10.x, 172.16-31.x, 192.168.x) and you are connecting over the internet, the server is behind NAT and may be misconfigured.
The client sent PASV to switch to passive mode. The server opened a listening port and responded with 227 containing the IP and port. The client should now connect to that IP:port to establish the data channel before issuing RETR, STOR, or LIST.
Passive mode is the default for most clients because active mode requires the server to connect back to the client, which fails if the client is behind a firewall or NAT. The client requests PASV to ensure data connections work through network restrictions.
The response format (h1,h2,h3,h4,p1,p2) encodes the IP and port. For example, (192,168,1,1,4,1) means IP 192.168.1.1, port 4*256+1 = 1025. If the IP is private but you are connecting from the internet, the server's passive mode configuration is wrong.
If the IP in the 227 response is incorrect (common with NAT), try EPSV (Extended Passive Mode, returning code 229). EPSV only returns the port number, and the client connects to the same IP used for the control connection, avoiding the NAT IP problem.
curl -v ftp://ftp.example.com/ -Q 'EPSV'
Passive mode requires the server to open random high ports (typically 1024-65535, or a configured range). Ensure the firewall allows inbound connections on the server's passive port range.
Scan PortsIf the server is behind NAT, it must be configured to report its public IP in PASV responses. In vsftpd, set pasv_address. In ProFTPD, use MasqueradeAddress. In FileZilla Server, set the external IP in passive mode settings.
The server is entering extended passive mode and has provided the port for the data connection.
The server is ready to transfer the file and is about to open the data connection.
The server could not establish the data connection needed for the file transfer.
The FTP command was understood and executed successfully.