39th Day: The main passive mode of FTP

Small Q: now the rich in the countryside moved from the village to the city to live in tall buildings, and the rich in the city moved to the village to live in villas ....

================================ Introduction ========================================

FTP: File Transfer Protocol (document Transfer Protocol) Chinese is called "Interfax protocol".

FTP supports two modes: standard (port mode, active mode), Passive (PASV, passive mode).

Active FTP

How it works: The client connects to the FTP server's command port from an arbitrary non-privileged port N, which is port 21. The client then starts listening on port n+1 and sends the FTP command "Port n+1" to the FTP server. The server then connects to the client-specified data port (n+1) from its own data port (20).

For firewalls in front of the FTP server, the following traffic must be allowed to support active ftp:

1. Any port greater than 1024 to the 21 port of the FTP server. (client-initiated connection)

2, the FTP server 21 port to the port greater than 1024. (server responds to client's control port)

3, the FTP server 20 port to the port greater than 1024. (Server-side initialization data is connected to the client's data port)

4, more than 1024 ports to the FTP server 20 port (the client sends an ACK response to the server's data port)

Passive FTP

In order to solve the problem that the server initiates the connection to the customer, people have developed a different way of FTP connection. This is called passive, or PASV, which is enabled when the client notifies the server that it is in passive mode.

In passive mode FTP, both the command connection and the data connection are initiated by the client, which resolves the problem that the in-direction connection of the data port from the server to the client is filtered out by the firewall.

When an FTP connection is turned on, the client opens two arbitrary non-privileged local ports (N > 1024 and n+1). The first port connects to the server's port 21, but unlike proactive FTP, the client does not submit the Port command and allows the server to back up its data port, but instead submits the PASV command. The result is that the server opens an arbitrary non-privileged port (P > 1024) and sends the Port P command to the client. The client then initiates a connection from the local port n+1 to the server's port p to transmit the data.

For a server-side firewall, the following traffic must be allowed to support passive ftp:

1, from any port greater than 1024 to the server's 21 port (client-initiated connection)

2, the server's 21 port to any port greater than 1024 (the server responds to the client's control port connection)

3, from any port greater than 1024 to the server than the 1024 port (client-initiated data connection to any server-specified ports

4, server greater than 1024 ports to remote port greater than 1024 (the server sends ACK response and data to the client's data port

=================================== Difference ======================================

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/D5/wKiom1YqECHi1RPJAAD6dZTEdKQ286.jpg "style=" width : 350px;height:400px; "title=" 11.PNG "width=" "height=" "border=" 0 "hspace=" 0 "vspace=" 0 "alt=" Wkiom1yqechi1rpjaad6dztedkq286.jpg "/>650) this.width=650;" Src= "http://s3.51cto.com/wyfs02/M01/74/D1/ Wkiol1yqee7bambwaaddbozjrxi832.jpg "title=" 1.PNG "width=" "height=" "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:350px;height:400px; "alt=" wkiol1yqee7bambwaaddbozjrxi832.jpg "/>

Command connection: Client >1024 port, Server 21 Port command connection: Client >1024 Port-server 21 port

Data connections: Customer >1024 Port <-Server 20 Port data connection: Client >1024 Port--server >1024 port

Advantages and Disadvantages
Active FTP is advantageous for the administration and security of the FTP server because the FTP server attempts to establish a connection to the client's high-level random port, which is likely to be blocked by the client's firewall.

Passive FTP is advantageous for FTP client management because the client is going to establish two connections to the server, one of which is connected to a high-level random port, which is likely to be blocked by a server-side firewall.

Way:

Fortunately, there is a compromise. Since the FTP server administrator needs their servers to have the most client connections, passive FTP must be supported. We can reduce the exposure of the server high port by specifying a limited port range for the FTP server. Thus, any port that is not in this range will be blocked by the server's firewall. While this does not eliminate all threats against the server, it greatly reduces the risk.

Active mode Detailed: http://yuanbin.blog.51cto.com/363003/107672/

39th Day: The main passive mode of FTP