Active FTP vs Passive FTP authoritative explanation

Directory

• Opening Remarks
• Basic
• Active FTP
• Example of active FTP
• Passive FTP
• Example of Passive FTP
• Summary
• References
• Appendix 1: Configure common FTP servers

Opening Remarks

One of the most common challenges when dealing with Firewall and other network connection problems is the difference between active FTP and Passive FTP and how to perfectly support them. Fortunately, this article helps you clear some confusion about how FTP is supported in the firewall environment.

Ben
This article may not be an authoritative explanation as the title claims, but I have heard a lot of good feedback and I have seen that this article has been cited in many places, many people think it is useful. Although I have been looking
Find the improvement method. If you find that you are not clear enough about it, please let me know! The latest modification is an example of commands in active and passive FTP sessions. Examples of these sessions
This helps you better understand the problem. The example also provides a great example to explain the FTP session procedure. Now, the question begins...

Basic

FTP is a TCP-based service and does not support udp. What is different is that FTP uses two ports, one data port and one command port (also called control port ). Generally, these two ports are 21-command port and 20-data port. However, when we find that port 20 is not always different based on the (FTP work) method, confusion arises.

Active FTP

Master
The dynamic FTP is like this: the client connects to the command port of the FTP server from an arbitrary non-authorized port n (n>; 1024), that is, port 21. Then the client starts the listener.
Port n + 1 and send the FTP command "port n + 1" to the FTP server. The server then connects to the data port (n + 1) specified by the client from its own data port (20 ).

For the firewall before the FTP server, you must allow the following communication to support active FTP:

• Port 21 from any port to the FTP server (client-initiated connection S <-C)
• Port 21 of the FTP server to port greater than 1023 (the server responds to the control port S-> C of the client)
• Port 20 of the FTP server to port greater than 1023 (the data port S-> C of the server to initialize data connection to the client)
• Port 20 from port 1023 to the FTP server (the client sends an ACK response to the server's data port S <-C)

The connection process looks like this:

In
In step 2, the client's command port establishes a connection with the FTP server's command port and sends the command "Port"
1027 ". In step 2, the FTP server returns an "Ack" to the client's command port ". In step 2, the FTP server initiates a port from its own data port (20) to the client
Connect to the previously specified data port (1027), and the client returns an "Ack" to the server in step 1 ".

The main problem with active FTP is that the customer
. The FTP client does not actually establish a connection to the server's data port. It simply tells the server the port number it listens to and the server returns to connect to the specified port of the client. For customers
For the user-side firewall, This is a connection established from the external system to the internal client, which is usually blocked.

Example of active FTP

Below is
An actual example of active FTP session. Of course, the server name, IP address, and user name have been changed. In this example, the FTP session
Testbox1.slacksite.com
(192.168.150.80), a Linux workstation running the standard FTP command line client, initiated to testbox2.slacksite.com
(192.168.150.90), one running ProFTPD
1.2.2rc2 Linux workstation. The debugging (-d) option is used to display the detailed connection process on the FTP client. The red text is
The debugging information displays the actual FTP commands sent to the server and the response information generated. The output information of the server is displayed in black and in bold.

Zi
We will find some interesting things in this conversation process. We can see that when the port
When the command is submitted, it specifies a port on the client (192.168.150.80) instead of the server. When we use Passive FTP, we will see the opposite phenomenon. Let's stay tuned.
PORT command format. As you can see in the following example, it is a sequence consisting of six numbers separated by commas. The first four are IP addresses, and the last two are ports used for data connection.
. Multiply the fifth number by 256 and add the sixth number to obtain the actual port number. In the following example, the port number is (14*256) + 178) =
3762. We can use netstat to verify the port information.

Testbox1: {/home/p-t/Slacker/public_html} %FTP-D testbox2

Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2: slacker ):Slacker

---> User slacker

331 Password required for slacker.
Password:Tmppass

---> Pass xxxx

230 user slacker logged in.
---> Syst
215 UNIX type: l8

Remote system type is UNIX.
Using binary mode to transfer files.
Ftp>Ls

FTP: setsockopt (ignored): Permission denied
---> Port 192,168,150, 178

200 PORT command successful.
---> List

150 opening ASCII mode data connection for file list.
Drwx ------ 3 slacker users 104 Jul 27 public_html
226 transfer complete.
Ftp>Quit

---> Quit

221 goodbye.

Passive FTP

To solve the problem that the server initiates a connection to the customer, we developed a different FTP connection method. This is the so-called passive mode or PASV, Which is enabled only when the client notifies the server that it is in passive mode.

In
In the Passive ftp mode, both the command connection and data connection are performed by the client, which can solve the problem that the inbound connection from the server to the client is filtered out by the firewall. When an FTP connection is enabled
The client opens two arbitrary non-privileged local ports (n>;
1024 and n + 1 ). The first port connects to port 21 of the server, but unlike the active FTP, the client does not submit the PORT command and allows the server to connect to its data port back and forth, but submits
PASV command. The result is that the server opens an arbitrary non-privileged port (P>; 1024) and sends the port
P command to the client. Then the client initiates a connection from the local port n + 1 to the port P on the server to transmit data.

For the server-side firewall, the following communication must be allowed to support Passive FTP:

• Port 21 from any port to the server (client-initiated connection S <-C)
• Port 21 of the server to any port greater than 1023 (the server responds to the connection s-> C from the control port of the client)
• Port 1023 or greater from any port to the server (inbound; the client initializes the data to connect to any port specified by the server S <-C)
• Port number greater than 1023 of the server to port number greater than 1023 of the remote server (outbound; the server sends ack response and data to the client's data port S-> C)

The Passive FTP connection process looks like this:

In
In step 2, the client's command port establishes a connection with the server's command port and sends the command "PASV ". Then, in step 2, the server returns the command "Port
2024 ", tell the client (server) which port is used to listen for data connections. In step 2, the client initializes a data connection from its own data port to the data port specified by the server. Final Service
In step 2, the server returns an "Ack" response to the client's data port.

Passive FTP solves many client problems, but it also brings more problems to the server. The biggest problem is that you need to allow connections from any remote terminal to a high port on the server. Fortunately, many FTP daemon, including the Popular WU-FTPD, allow administrators to specify the port range used by the FTP server. For more information, see Appendix 1.

The second problem is that some clients support the passive mode and some do not support the passive mode. You must consider how to support these clients and provide them with solutions. For example, the FTP command line tool provided by Solaris does not support passive mode and requires a third-party FTP client, such as ncftp.

With the popularity of WWW, many people are used to using Web browsers as FTP clients. Most browsers only support passive mode when accessing a URL such as ftp. Whether this is good or bad depends on the configuration of the server and firewall.

Example of Passive FTP

Lower
This is an actual example of a Passive FTP session, but the server name, IP address, and user name have been changed. In this example, the FTP session
Testbox1.slacksite.com
(192.168.150.80), a Linux workstation running the standard FTP command line client, initiated to testbox2.slacksite.com
(192.168.150.90), one running ProFTPD
1.2.2rc2 Linux workstation. The debugging (-d) option is used to display the detailed connection process on the FTP client. The red text is
The debugging information displays the actual FTP commands sent to the server and the response information generated. The output information of the server is displayed in black and in bold.

Note that the PORT command in this example is different from the active FTP example. Here, we can see that the server (192.168.150.90) is opened instead of a port of the client. You can compare the PORT command format in the preceding active FTP example.

Testbox1: {/home/p-t/Slacker/public_html} % FTP-D testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2: slacker ):Slacker

---> User slacker

331 Password required for slacker.
Password:Tmppass

---> Pass xxxx

230 user slacker logged in.
---> Syst
215 UNIX type: l8

Remote system type is UNIX.
Using binary mode to transfer files.
Ftp>Passive

Passive mode on.
Ftp>Ls

FTP: setsockopt (ignored): Permission denied

---> PASV

227 entering passive mode (192,168,150, 90,195,149 ).
---> List

150 opening ASCII mode data connection for file list
Drwx ------ 3 slacker users 104 Jul 27 public_html
226 transfer complete.
Ftp>;Quit

---> Quit

221 goodbye.

Summary

The following chart helps administrators remember how each FTP method works:

Active FTP:
Command connection: client> 1023 port> server port 21
Data Connection: client> port 1023 <-Port 20 of the server

Passive FTP:
Command connection: client> 1023 port> server port 21
Data Connection: client> 1023 port> Server> 1023 Port

The following is a brief summary of the advantages and disadvantages of active and passive ftp:

Master
Dynamic FTP is advantageous for FTP server management, but unfavorable for client management. The FTP server tries to establish a connection with the high random port of the client, and this port may be blocked by the firewall of the client.
Plug it out. Passive FTP is advantageous for FTP Client Management, but unfavorable for server management. Because the client needs to establish two connections with the server, one of which is connected to a high random port, and this port is very
It may be blocked by the server firewall.

Fortunately, there is a compromise. Since the FTP server administrator needs the most client connections to their server, it must support
Passive FTP. You can specify a limited port range for the FTP server to reduce the exposure of the server's high port. In this way, any port out of this range will be blocked by the server's firewall. Although
This does not eliminate all the risks to the server, but it greatly reduces the risks. For more information, see Appendix 1.

References

O'reilly's "build Internet firewall" (version 2, Brent Chapman, Elizabeth Zwicky) is a good reference. This section describes how various Internet protocols work and examples of firewalls.

The most authoritative FTP reference is RFC 959, which is the official specification of the FTP protocol. RFC information can be downloaded from many websites, such as: ftp://nic.merit.edu/documents/rfc/rfc0959.txt
.

Active FTP vs. Passive FTP, Appendix 1