Active and passive FTP MODE

Source: Internet
Author: User
Tags ftp commands ftp client
FTP active and passive working mode-Linux Enterprise Application-Linux server application information. The following is a detailed description. Article from:

What is PASV mode (passive mode transfer )? How does he work?

FTP connections generally have two connections: one is the client and the server transmission command, and the other is the data transmission connection. FTP service programs generally support two different modes: Port Mode and Pasv Mode ), let me first talk about the two different connection modes.

Assume that the client is C and the server is S.

Port mode:

After client C connects to server S, the Port mode is used, then client C will send a command to inform server S (client C opens a local port N waiting for you to connect to the data ), when the server S receives the Port command, it connects to the Port N opened by the client, which is generated.

Pasv mode:

After client C connects to server S, server S will send a message to client C. The message is (server S opens a local port M, So connect to me now ), after receiving this information, client C can connect to the M Port of server S. After the connection is successful, the data connection is established.

From the above explanation, we can see that the main difference between the two modes is that the data connection is established differently. For the Port mode, in Pasv mode, server S opens a port locally and waits for client C to establish a data connection.

Do I need to set the transfer mode to PASV mode?

If you connect to the INTERNET, for example, you need to set it to PASV mode for transmission.

There are two ip addresses on the route: Intranet ip address (your gateway address) and Internet IP address, all your computers in the LAN share the access to the INTERNET (through the gateway in the middle). Let's take a look at the detailed connection process so that you can

To learn more why PASV mode transmission is required:

When you download a video using a download tool or using a browser, you can connect to the FTP server, when the FTP service receives your connection request, it sends a Response Message to the customer and starts waiting for the user's authentication information,?> After the authentication is passed, start to establish a data connection. If you do not set it to pasv mode, then the customer segment (download tool) will open a data port on the local computer, then, send a "command" to the FTP service segment (you can connect to me now if I have opened port n). Then, the FTP server segment starts to connect to port N of your IP address, (but the connection fails) Because you are using the gateway (your routing device) the ftp service segment used to access the internet is actually connected to a route device whose internet address is The port opened in the download tool cannot be connected at all, for example, if you are using the client, the FTP service segment cannot be connected to your computer at this time. Therefore, you will see the error message from the server, if you are prompted that the port opened at cannot be connected, you need to set the transfer mode to PASV. If you are using PASV mode, after ftp authentication, the customer segment first sends a PASV command to the server. After receiving the command, the server Segment opens a port and tells the customer segment that "I have opened a port, now you can connect to the "customer segment (download tool) After receiving the information, connect to the port opened in the service segment to complete the data connection, all the data streams downloaded by ftp are transmitted through this port.

In addition, when using iptables for NAT, the two modules (ip_nat_ftp and ip_conntrack_ftp) should be loaded to connect to the ftp server normally. Otherwise, pasv cannot connect to the ftp server in passive mode.

Ftp mode and data port

There are two types of FTP: port ftp and pasv ftp. port ftp is a common form of FTP. The two types of FTP have the same operation when establishing a control connection. They are established by the client first with the control port of the FTP server (default value: 21, and use this link for transmission operation commands. The difference between them is that the data transmission port (ftp-data) is used. Port ftp specifies the PORT used for data transmission by the FTP server. The default value is 20. Pasv ftp is the data transmission port determined by the FTP client. Pasv ftp is mainly used to communicate with the server in the firewall environment (the data transmission port is included in the data transmission request sent from the client to the server ), it is more convenient to determine the data transmission port between the two.

Port_enable = YES | NO

If you want to cancel PORT mode during data connection, set this option to NO. The default value is YES.

Connetc_from_port_20 = YES | NO

Control whether PORT 20 (ftp-data) is used for data transmission in PORT mode ). YES, NO. The default value is NO, but this parameter is set to YES in the vsftpd. conf file that comes with RHL.

Ftp_data_port = port number

Set the ftp-data value. The default value is 20. This parameter is used in port ftp mode.

Port_promiscuous = YES | NO

The default value is NO. If YES, cancel the PORT security check. This check ensures that the outgoing data can only be connected to the client. Enable this option with caution.

Pasv_enable = YES | NO

YES. PASV mode is used for data transmission. NO. PASV mode is not allowed. The default value is YES.

Pasv_min_port = port number
Pasv_max_port = port number

In PASV mode, the lower and upper bounds of the port range can be used for data transmission. 0 indicates any value. The default value is 0. Setting the port range in a relatively high range, such as 50000-60000 will help improve security.

Pasv_promiscuous = YES | NO

When this option is activated, security checks in PASV mode are disabled. This check ensures that the data connection and control connection come from the same IP address. Enable this option with caution. The only rational use of this option is that it exists in an organization consisting of a security tunnel solution. The default value is NO.

Pasv_address =

This option is a digital IP address and serves as a response to the PASV command. The default value is none, that is, the address is obtained from the incoming connection socket (incoming connectd socket.

Therefore, if the fire protection field is enabled in linux, the corresponding port must be opened, for example:

-A RH-Firewall-1-INPUT-m state? State NEW-p tcp-m tcp? Dport 30000: 31000? Syn-j ACCEPT 4. Firewall Configuration

#! /Bin/bash

# Ip. sh

Echo "1">/proc/sys/net/ipv4/ip_forward

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp




Iptables-t nat-F

Iptables-t nat-X

Iptables-t nat-Z




Iptables-t filter-a forward-p tcp-s Dport 21-j ACCEPT

Iptables-t filter-a forward-p tcp-s Sport 21-j ACCEPT

Iptables-t filter-a forward-p tcp-s Dport 30000: 310000-j ACCEPT

Iptables-t filter-a forward-p tcp-s Sport 3000: 4000-j ACCEPT

Iptables-t filter-a forward-p tcp-m state? State RELATED, ESTABLISHED-j ACCEPT

Iptables-t filter-a forward-p icmp? Icmp-type 8-j ACCEPT

Iptables-t filter-a forward-p icmp? Icmp-type 0-j ACCEPT

5. Verification:

# In xp, ftp commands are used for connection in active mode. graphical interfaces can be used for software. The default mode is passive.

# Netstat-an | grep 172

VsFTP configuration solution in Linux


1. VsFTPd Overview

Ii. Enterprise Linux vsFTPD Solution

Iii. VsFTPD configuration files

I. Brief Introduction to VsFTPd:

VSFTP (Very Secure FTP Daemon, a Very Secure FTP Server ). As the name suggests, the starting point of VSFTPD design is security. At the same time, with the continuous upgrade of the version, VSFTPD has made great progress in performance and stability. In addition to excellent security and performance, there are also good usability. Red Hat uses vsFTPd on its FTP Server ( ).

Ii. Practical vsFTPD solution in Enterprise Linux


1. User: netseek_com; FTP: (, I have configured the relevant DNS)

2. Prohibit anonymous login and prohibit users from leaving the user directory.

3. Use 5021 as the Command Channel port and 5020 as the Data Channel port (you can change it to the port you want to set, for example)

4. The range of ports allowed to be used in passive mode is 10010 ~ 10020.

5. the user bandwidth is set to 300 KPS, the user space is limited to M, and a buffer of 10 MB is allowed within the grace period.

The procedure is as follows:

To fully describe the entire installation process, I configured it on my other host (netseek), bound to the IP address of the server, and configured the relevant DNS resolution, for more information, see "Linux all-around web Server Setup ".

1. Configure Related Services

Start the service:

[Root @ netseek root] # rpm? Qa | grep vsftpd; check whether the vsftpd service is installed

#/Etc/init. d/vsftpd start; start the service

# Chkconfig vsftpd on; Enable system services as the system starts

Configuration documents:

# Vi/etc/vsftpd. conf

Prohibit anonymous user access:

Anonymous_enable = YES, change YES to NO

Add the following settings at the end of the file:

# New added by netseek

Listen_port = 5021; Command Channel port; default value: 21

Listen_data_port = 5020; Data Channel port; default value: 20

Pasv_enable = YES; allow Passive Mode

Pasv_min_port = 10000; port range used in passive mode

Pasvanderbilt max_port = 10010

Local_max_rate = 200000; user bandwidth limit

Chroot_local_user = YES; disable the user to exit the main directory

Listen_address =; let him listen to ip Address:

Note: Do not add ";" and these Chinese notes during the adding process. I will add them here for your convenience.

2. Add a VM user

Add the user netseek_com and specify the user directory as/var/www/ the user cannot log on to the system.

# Mkdir/var/www/

# Useradd? S/sbin/nologin? D/var/www/ netseek_com

Note that-s/sbin/nologin makes it unable to log on to the system.-d specifies the user directory as/var/www/

# Passwd netseek_com (Do not Hack me 3ks) DnHm3ks this is the password I set

# Chown? R netseek_com: netseek_com/var/www/

Note: Set all and groups of User Directories and Their subdirectories to netseek_com.

3. Configure the disk quota

During installation, I have multiple partitions on the disk, including/home,/var,/,/www, tmp, swap, And/boot. We recommend that you split the disk into multiple independent partitions to reduce the risk of data loss caused by disk partition corruption.

# [Root @ netseek root] # rpm-qa | grep quota

Quota-3.06-9; my system has installed the disk quota Tool

# Vi/etc/fstab

Find similar

LABEL =/var ext3 defaults 1 2

After ults, add usrquota as follows:

LABEL =/var ext3 defaults, usrquota 1 2

Reload the/var partition:

# Mount? O remount/var

# Cd/var enter this directory

# Touch quota. user

# Chmod 600 quota. user

# Quotacheck? Mf/var forcibly checks disk partition space usage

[Root @ localhost var] # quotacheck-mf/var

Quotacheck: WARNING? Quotafile/var/quota. user was probably truncated. Can't save quota settings...

Restart the system

This warning will appear during the first running, but it won't happen again.

Specify the user quota:

# Edquota netseek_com sets the disk quota for the user netseek_com.

Disk quotas for user netseek_com (uid 501 ):

Filesystem blocks soft hard inodes soft hard

/Dev/sda5 6616 307200 0 15 0 0


Ilesystem blocks soft hard inodes soft hard

Filesystem-the file system being set. Do not modify or delete it.

Bolock-currently used disk space, in KB

Soft (first)-limited disk space. The default value is 0, which indicates no limit. Here I set it to 300 MB.

Hard (first)-hard quota limit. 0 indicates no limit.

Inodes-current file count

Soft (second)-soft limit on the number of files. 0 indicates no limit

Hard (second)-hard limit on the number of files. 0 indicates no limit.

Enable automatic loading for the system:

# Vi/etc/rc. d/rc. local, add the following:

/Etc/init. d/vsftpd start


/Sbin/quotaon? Avu

View the disk space used by netseek_com users.

[Root @ localhost ~] # Quota-u netseek_com

Disk quotas for user netseek_com (uid 501 ):

Filesystem blocks quota limit grace files quota limit grace

/Dev/sda5 6616 307200 0 15 0 0

Note: For more quota commands, run the man command to check them. VBird says we want to learn how to find men!

4. effect demonstration:

Iv. VsFTPd-related configuration details

1. Anonymous user settings

Anonymous_enable = YES, change YES to NO, disable anonymous user login

# Non_mkdir_write_enable = YES, remove the # annotation, and allow anonymous users to create directories.

# Non_upload_enalbe = YES, remove #, allow anonymous users to upload

Anon_world_readable_only = YES. Anonymous Users are allowed to download data. By default, this parameter is disabled. You can add this parameter on your own.

Anon_other_write_enable = YES. If you set it to YES, in addition to uploading and creating directories, you can also Rename and delete files. The default value is NO.

Set no_anon_password = NO to YES. Anonymous users do not query user passwords and log on directly.

Ftp_username = ftp. The default account for anonymous users to log on to the system is ftp. Do not change this option. Otherwise, improper configuration will threaten the system security.

2. Specify the FTP service port

Listen_port = 8021. Specify the Command Channel as 8021. The default value is 21.

Listen_data_port = 8020. Set the data channel to 8020. The default value is 20.

3. Set the upload Mode

Pasv_enable = YES. whether to allow passive mode. The default value is allowed.

Pasv_min_port = 10000, which specifies the minimum value of the port opened when passive mode is used.

Pasv_max_port = 10004, which specifies the maximum value of the port opened when passive mode is used.

4. Vsftp Server IP Address

Listen_address =, specifying FTP and IP address

Note: The specified IP address is allowed only when vsftp runs in standalone mode. if the vsfpd file has been created under the d directory, you must set the disable in the file to yes.

5. Lock the user and prevent the user from leaving the user's home directory.

Chroot_local_user = YES, set it to YES, it will be locked in the user's main directory, set to NO, you can switch

Set the specified user to lock the user's main directory:

# Chroot_list_enable = YES

# Chroot_list_file =/etc/vsftpd. chroot_list

Change it to the following:

Chroot_list_enable = NO

Chroot_list_file =/etc/vsftpd. chroot_list

Save the above and perform the following operations:

# Touch/etc/vsftpd. chroot_list

# Vi/etc/vsftpd. chroot_list: Add a user name list to the file, for example:


6. FTP server traffic control

Max_clients = 100; Maximum number of connections allowed, defined as 100. The default value is 0, and there is no limit on the table.

Max_per_ip = 5; Number of connections allowed by each IP address. Table 0 has no limit and must run in independent mode.

Anon_max_rate = 50000; maximum bandwidth of anonymous users, in bps

Local_max_rate = 200000; maximum bandwidth of the System user

How can I limit the traffic of a specified user?

# Vi/etc/vsftpd. conf, add one line:

User_config_dir =/etc/vsftpd/userconf

# Touch/etc/vsftpd/userconf/netseek_com: the user netseek_com creates a netseek_com file.

# Vi/etc/vsftpd/userconf/netseek_com Add the following content

Local_max_rate = 100000

Save and restart the service.

7. Customize welcome information

Directory description settings

# Vi/etc/vsftpd. conf

# Dirmessage_enable = YES, remove the previous.

Then we customize a. message, write what you want to write, and copy the file to the Home Directory of each user.

System Welcome Message settings

Ftpd_banner = Welcome to, Yeah !!!

System Welcome Message File Settings

Banner_file =/etc/vsftpd/welcome is similar to ftpd_banner. The difference is that banner_file specifies the welcome File

This article from the CSDN blog, reproduced please indicate the source:
Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.