How to switch passive and active FTP modes in wget

FTP downloads often fail only after login succeeds, which makes the problem look like a bad file path when the real break sits in the data channel. Switching wget between passive and active mode is the quickest way to prove whether the transfer issue belongs to the server policy, a firewall, or the client network path.

By default wget uses passive FTP, where the client opens the data socket after the server announces a passive endpoint. The --no-passive-ftp option flips the session into active mode so the server connects back to the client, and the same policy can be stored as passive_ftp = off in /$HOME/.wgetrc/.

Passive mode is safer on NATed and firewalled clients, so keep the mode change on the command line until repeated tests prove one server path needs something else. Use debug output to confirm whether the session is negotiating PASV or EPSV in passive mode and PORT or EPRT in active mode before making the change permanent.

Steps to switch passive and active FTP modes in wget:

Confirm that the current wget build exposes the FTP mode switch before testing a real server.

$ wget --help | grep -n 'passive-ftp'
154:       --no-passive-ftp            disable the "passive" transfer mode

Run one small transfer with the default passive behavior and capture only the data-channel markers.

$ wget --debug ftp://ftp.partner-sync.example.net/pub/mode-check.txt -O mode-check-passive.txt 2>&1 | grep -E 'PASV|EPSV|Length:|saved'
--> PASV
Length: 1480 (1.4K) (unauthoritative)
2026-03-29 01:36:36 (827 KB/s) - 'mode-check-passive.txt' saved [1480]

Passive mode is the default, so look for PASV or EPSV before changing anything. Related: How to download files over FTP with wget

Re-run the same file with active mode enabled and compare the negotiation verb.

$ wget --debug --no-passive-ftp ftp://ftp.partner-sync.example.net/pub/mode-check.txt -O mode-check-active.txt 2>&1 | grep -E 'PORT|EPRT|Length:|saved'
--> PORT 198,51,100,42,154,139
Length: 1480 (1.4K) (unauthoritative)
2026-03-29 01:36:36 (30.9 MB/s) - 'mode-check-active.txt' saved [1480]

Active mode requires the server to reach the client on the callback socket, so blocked inbound rules often surface here as a hang or a failed transfer after login succeeds.

Keep the working mode on the command line while only one server path needs the override.
```
$ wget --no-passive-ftp ftp://ftp.partner-sync.example.net/pub/nightly-ledger-2026-03-29.tar.gz
```
Per-command flags are safer than a persistent startup-file change when the rest of the account should stay on the passive default.
Persist the mode in the user startup file only when repeated tests show the same requirement for that account.
```
~/.wgetrc
# Use on for passive mode and off for active mode.
passive_ftp = off
```
Set the value back to on to restore the normal passive default later. Related: How to configure default options in ~/.wgetrc
Verify the final policy from one more debug run before reusing it in scripts.
```
$ wget --debug ftp://ftp.partner-sync.example.net/pub/mode-check.txt -O ftp-verify.txt 2>&1 | grep -E 'PASV|EPSV|PORT|EPRT'
--> PASV
```
EPSV or PASV confirms passive mode, while EPRT or PORT confirms active mode. Related: How to debug wget connections

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.