File Transfer Protocol (Transfer Protocol) is a traditional network protocol, the main function is to implement the server and the client between the file sent, FTP in the TCP package mode for the server and client connection, when the connection is established, Users can use client programs to connect to the server side, and to download and upload files, in addition to directly manage user files on the server. FTP is a TCP-only service and does not support UDP. The difference is that FTP uses 2 ports, a data port and a command port (also known as a control port). Typically, these two ports are 21 (command port) and 20 (data port). But the FTP works differently, the data port is not always 20. This is the most important difference between active and passive FTP.
(i) Active FTP
The active way of FTP is this: the client connects to the FTP server's command port from an arbitrary n>1024 port, or port 21. The client then starts listening on the port n+1 and sends the FTP command "Port n+1" to the FTP server. The server then connects to the client-specified data port (n+1) from its own data port (20). For the firewall in front of the FTP server, you must allow the following traffic to support active ftp:
1. Any port greater than 1024 to the 21 port of the FTP server. (client-initiated connection)
2. The FTP server has 21 ports to ports greater than 1024. (server responds to client's control port)
3. The FTP server has 20 ports to ports greater than 1024. (Server-side initialization data connects to the client's data port)
4.20 ports greater than 1024 ports to the FTP server (the client sends an ACK response to the server's data port)
(ii) Passive FTP
In order to solve the problem that the server initiates the connection to the customer, people developed a kind of different FTP connection way. This is called passive mode, or PASV, which is enabled when the client notifies the server that it is in passive mode. In passive mode FTP, both the command and data connections are initiated by the client, which resolves the problem of the inbound connection of the data port from the server to the client being filtered by the firewall.
When an FTP connection is turned on, the client opens two arbitrary non privileged local ports (N > 1024 and n+1). The first port connects to the server's 21 port, but unlike active FTP, the client does not submit the Port command and allows the server to go back and forth to its data port, instead submitting the PASV command. The result is that the server will open an arbitrary, unprivileged port (P > 1024) and send the port p command to the client. The client then initiates a connection to port p from the local port n+1 to the server to transmit the data.
For a server-side firewall, the following traffic must be allowed to support passive ftp:
1. From any port greater than 1024 to the server's 21 port (client initiated connection)
2. Server's 21 port to any port greater than 1024 (the server responds to the client's control port connection)
3. From any greater than 1024 ports to the server from any greater than 1024 ports (client initialization data is connected to any port specified by the server)
4. server's greater than 1024 port to the remote port greater than 1024 (the server sends an ACK response and data to the client's data port)
One: Simple analysis of vsftpd main configuration file:
[Root@lyt ~]# Mkdir/mnt/cdrom
[Root@lyt ~]# mount/dev/cdrom/mnt/cdrom/
[Root@lyt ~]# cd/mnt/cdrom/server/
[Root@lyt server]# RPM-IVH vsftpd-2.0.5-16.el5.i386.rpm
[Root@lyt server]# Service vsftpd start
[Root@lyt server]# chkconfig vsftpd on
1: Anonymous users and Local users:
[Root@lyt server]# vim/etc/vsftpd/vsftpd.conf