Active Mode (port) and passive mode (PASV) in ftp)

Source: Internet
Author: User
Tags ftp commands ftp client
Article title: active and passive modes (PASV) in ftp ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

  Opening remarks

One of the most common challenges when dealing with firewall and other network connection problems is the difference between active FTP and Passive FTP and how to perfectly support them. Fortunately, this article helps you clear some confusion about how FTP is supported in the firewall environment.

This article may not be an authoritative explanation as the title claims, but I have heard a lot of good feedback and I have seen that this article has been cited in many places, many people think it is useful. Although I have been looking for methods for improvement, if you find that you are not clear enough about it, please let me know more! The latest modification is an example of commands in Active and Passive FTP sessions. Examples of these sessions should be helpful for better understanding the problem. The example also provides a great example to explain the FTP session procedure. Now, the question begins...

  Basic

FTP is a TCP-based service and does not support UDP. What is different is that FTP uses two ports, one data port and one command port (also called control port ). Generally, these two ports are 21-command port and 20-data port. However, when we find that Port 20 is not always different based on the (FTP work) method, confusion arises.

  Active FTP

The active FTP is like this: the client connects to the command port of the FTP server from an arbitrary non-privileged port N (N>; 1024), that is, Port 21. Then the client starts listening to port N + 1 and sends the FTP command "port N + 1" to the FTP server. The server then connects to the data port (N + 1) specified by the client from its own data port (20 ).

For the firewall before the FTP server, you must allow the following communication to support active FTP:

Port 21 from any port to the FTP server (client-initiated connection S <-C)

Port 21 of the FTP server to Port greater than 1023 (the server responds to the control port S-> C of the client)

Port 20 of the FTP server to Port greater than 1023 (the data port S-> C of the server to initialize data connection to the client)

Port 20 from port 1023 to the FTP server (the client sends an ACK response to the server's data port S <-C)

The connection process looks like this:

0 & image. height> 0) {if (image. width >=510) {this. width = 510; this. height = image. height * 510/image. width ;}}">

In step 2, the client's command PORT establishes a connection with the FTP server's command PORT and sends the command "PORT 1st ". In step 2, the FTP server returns an "ACK" to the client's command port ". In step 2, the FTP server initiates a connection from its own data port (20) to the data port (3rd) previously specified by the client, the client returns an "ACK" to the server in step 3 ".

The main problem with active FTP is the client. The FTP client does not actually establish a connection to the server's data port. It simply tells the server the port number it listens to and the server returns to connect to the specified port of the client. For the client's firewall, this is a connection established from the external system to the internal client, which is usually blocked.

  Example of active FTP

The following is an example of an active FTP session. Of course, the server name, IP address, and user name have been changed. In this example, the FTP session starts from testbox1.slacksite.com (192.168.150.80), a Linux workstation running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a Linux workstation running ProFTPd 1.2.2RC2. The debugging (-d) option is used to display the detailed connection process on the FTP client. The red text is the debugging information, showing the actual FTP commands sent to the server and the response information. The output information of the server is displayed in black and in bold.

Think carefully about this conversation and we will find some interesting things. We can see that when the PORT command is submitted, it specifies a PORT on the client (192.168.150.80) instead of the server. When we use Passive FTP, we will see the opposite phenomenon. Let's take a look at the PORT command format. As you can see in the following example, it is a sequence consisting of six numbers separated by commas. The first four are IP addresses, and the last two are the port numbers used for data connection. Multiply the fifth number by 256 and add the sixth number to obtain the actual port number. In the following example, the port number is (14*256) + 178) = 3762. We can use netstat to verify the port information.

Testbox1: {/home/p-t/slacker/public_html} % ftp-d testbox2

Connected to testbox2.slacksite.com.

220 testbox2.slacksite.com FTP server ready.

Name (testbox2: slacker): slacker

---> USER slacker

331 Password required for slacker.

Password: TmpPass

---> PASS XXXX

230 User slacker logged in.

---> SYST

215 UNIX Type: L8

Remote system type is UNIX.

Using binary mode to transfer files.

Ftp> ls

Ftp: setsockopt (ignored): Permission denied

---> PORT 192,168,150, 178

200 PORT command successful.

---> LIST

150 Opening ASCII mode data connection for file list.

Drwx ------ 3 slacker users 104 Jul 27 public_html

226 Transfer complete.

Ftp> quit

---> QUIT

221 Goodbye.

[1] [2] Next page

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.