Active FTP
The active FTP is like this: the client connects to the command port of the FTP server from an arbitrary non-privileged port n (n> 1024), that is, port 21. Then the client starts port n + 1 and sends the FTP command "port n + 1" to the FTP server. The server then connects to the data port (n + 1) specified by the client from its own data port (20 ).
For the firewall before the FTP server, you must allow the following communication to support active FTP:
1. Port 21 from any port to the FTP server (client-initiated connection S <-C)
2. Port 21 of the FTP server to a port greater than 1024 (the server responds to the control port S-> C of the client)
3. Port 20 of the FTP server to port greater than 1024 (the data port S-> C of the server to initialize data connection to the client)
4. Port 20 from Port 1024 to the FTP server (the client sends an ACK response to the server's data port S <-C)
The main problem with active FTP is the client. The FTP client does not actually establish a connection to the data port of the server. It simply tells the server the port number of the ***, and the server returns to connect to the specified port of the client. For the client's firewall, this is from the externalSystemEstablishing a connection to an internal client is usually blocked.
FirewallSetExamplesChild
Build an FTP server under the firewall and use the active FTP (Port FTP) mode: Default FTP port: 21 and FTP data port: 20
Execute the following two lines of commands, only port 21 and Port 20 are allowed to be enabled, and other commands are disabled.
Iptables-A input-p tcp-M multiport -- dport 21,20-J accept
Iptables-A input-p tcp-J reject -- reject-with TCP-Reset
FTP software settings
Take vsftp as an example. Modify/etc/vsftpd. conf
Add the following two lines
Listen_port = 21
Ftp_data_port = 20
If an error is set
You cannot select passive mode for the online mode of the FTP client (such as CuteFTP). Otherwise, you cannot establish online data. That is, the reader can connect to the FTP server, but it cannot run when executing commands such as LS and get.
Passive FTP
To solve the problem that the server initiates a connection to the customer, we developed a different FTP connection method. This is the so-called passive mode or PASV, Which is enabled only when the client notifies the server that it is in passive mode.
In the Passive ftp mode, both the command connection and data connection are performed by the client, so that the firewall can filter out the inbound connections from the server to the client's data port. When an FTP connection is enabled, the client opens two arbitrary non-privileged local ports (n> 1024 and n + 1 ). The first port connects to port 21 of the server, but unlike the active FTP, the client does not submit the PORT command and allows the server to connect to its data port back and forth. Instead, it submits the PASV command. The result is that the server opens any non-privileged port (P> 1024) and sends the port p command to the client. Then the client initiates a connection from the local port n + 1 to the port P on the server to transmit data.
For the server-side firewall, the following communication must be allowed to support Passive FTP:
1. From any port to port 21 on the server (client-initiated connection S <-C)
2. Port 21 of the server to any port greater than 1024 (the server responds to the connection s-> C from the control port of the client)
3. Port 1024 or more from any port to the server (inbound; the client initializes the data to connect to any port specified by the server S <-C)
4. Port 1024 or greater on the server to the remote port 1024 or greater (outbound; the server sends ack response and data to the client's data port S-> C)
Firewall setting example
Build an FTP server under the firewall and use Passive FTP (Port FTP) mode: ftp port: 21 and FTP data port from 9981 to 9986.
Execute the following two lines of commands, only port 21 and port 9981-9990 are allowed to be enabled, and other commands are disabled.
Iptables-A input-p tcp-M multiport -- dport 21,9981, 9982,9983, 9984,9985, 9986,9987, 9988,9989, 9990-J accept
Iptables-A input-p tcp-J reject -- reject-with TCP-Reset
FTP software settings
Take vsftp as an example. Modify/etc/vsftpd. conf
Add the following four lines
Listen_port = 21
Pasv_enable = Yes
Pasv_min_port = 9981
Pasvanderbilt max_port = 9986
If an error is set
In this example, You must select passive mode for the FTP client (such as CuteFTP) online mode. Otherwise, you cannot establish online data. That is, the reader can connect to the FTP server, but it cannot run when executing commands such as LS and get.