FTP active mode, passive mode introduction _FTP server

Active mode

1. FTP Client use TCP Port 1026 for command to FTP Server command port 21
2. FTP Server use TCP port responed to FTP client command Port 1026
3. FTP Server use TCP port of sending data to FTP client data port 1027 (1026 + 1)
4. FTP client use TCP port 1027 (1026 + 1) for data ACK to FTP server Port 20

Passive mode

1. FTP client use TCP Port 1026 to FTP server command port via command PASV
2. FTP server use TCP port to FTP client 1026 command port for reply data port 2024
3. FTP client use TCP port 1027 (n+1) to FTP server 2024 for data transmit and ACK
4. FTP Server use TCP port 2024 to FTP client for data transmit and ACK

FTP is a TCP-only service and does not support UDP. The difference is that FTP uses 2 ports, a data port and a command port (also known as a control port). Typically, these two ports are 21 (command port) and 20 (data port). But the FTP works differently, the data port is not always 20. This is the most significant difference between FTP active and passive mode.

(i) Active FTP

The active way of FTP is this: the client connects to the FTP server's command port (port 21) from an arbitrary n>1024 Port N (a). The client then starts listening on the port n+1 and sends the FTP command "Port n+1" to the FTP server. The server then connects to the client-specified data port (n+1) from its own data port (20).

For the firewall in front of the FTP server, you must allow the following traffic to support active ftp:

1. Any port greater than 1024 to the 21 port of the FTP server. (client-initiated connection)
2. The FTP server has 21 ports to ports greater than 1024. (server responds to client's control port)
3. The FTP server has 20 ports to ports greater than 1024. (Server-side initialization data connects to the client's data port)
4.20 ports greater than 1024 ports to the FTP server (the client sends an ACK response to the server's data port)

(ii) Passive FTP

In order to solve the problem that the server initiates the connection to the customer, people developed a kind of different FTP connection way. This is called passive mode, or PASV, which is enabled when the client notifies the server that it is in passive mode.

In passive mode FTP, both the command and data connections are initiated by the client, which resolves the problem of the inbound connection of the data port from the server to the client being filtered by the firewall.

When an FTP connection is turned on, the client opens two arbitrary, non privileged local ports (N > 1024 and n+1). The first port connects to the server's 21 port, but unlike active FTP, the client does not submit the Port command and allows the server to go back and forth to its data port, instead submitting the PASV command. The result is that the server will open an arbitrary unprivileged port (P > 1024) and send the port p command to the client. The client then initiates a connection to port p from the local port n+1 to the server to transmit the data.

For a server-side firewall, the following traffic must be allowed to support passive ftp:

1. From any port greater than 1024 to the server's 21 port (client initiated connection)
2. Server's 21 port to any port greater than 1024 (the server responds to the client's control port connection)
3. From any greater than 1024 ports to the server from any greater than 1024 ports (client initialization data is connected to any port specified by the server)
4. server's greater than 1024 port to the remote port greater than 1024 (the server sends an ACK response and data to the client's data port)

(iii) Advantages and disadvantages of active and passive FTP

Active FTP is advantageous to the management of FTP server, but it is unfavorable to the management of the client. Because the FTP server attempts to establish a connection with the client's high random port, the port is likely to be blocked by the client's firewall. Passive FTP is advantageous to the management of FTP clients, but not to server-side management. Because the client wants to establish two connections to the server, one of them is connected to a high random port, and the port is likely to be blocked by the server-side firewall.

Fortunately, there is a compromise approach. Since the FTP server administrator needs to have the most client connections for their servers, it must support passive FTP. We can reduce the exposure of server high ports by assigning a limited range of ports to the FTP server. In this way, any port that is not in this range will be blocked by the server's firewall. While this does not eliminate all risks to the server, it greatly reduces the risk.

Nutshell:

Active mode (PORT) and passive mode (PASV). The active mode is a connection to the client from the server side, and the passive mode is the client initiating a connection to the server side. The common denominator is to use 21 ports for user authentication and management, the difference is in different ways of transmitting data, Port mode FTP server data ports are fixed at 20, while the PASV mode is randomly between 1025-65535

The solution and principle of FTP active mode and passive mode

FTP is the abbreviation of the file Transfer Protocol, which is used to transfer files between two computers. is much more complicated than the HTTP,FTP protocol. The complex reason is that the FTP protocol uses two TCP connections, one is a command link that is used to pass commands between the FTP client and the server, and the other is a data link for uploading or downloading data.

The FTP protocol works in two ways: Port and PASV, and Chinese meaning is active and passive.

The port (Active) connection process is that the client sends a connection request to the server's FTP port (the default is 21), and the server accepts the connection and establishes a command link. When the need to transfer data, the client on the command link with the port command to tell the server: "I opened the XXXX port, you come to connect me." The server then sends a connection request from Port 20 to the client's XXXX port, creating a data link to transmit the data.

The PASV (passive) way of the connection process is that the client sends a connection request to the server's FTP port (the default is 21), the server accepts the connection, and establishes a command link. When you need to transfer data, the server tells the client on the command link using the PASV command: "I opened the XXXX port, you come to connect me." The client then sends a connection request to the server's XXXX port, creating a data link to transmit the data.

Overview:
--------------------------------------------------------------------------------
Active mode: The server knocks at the client, Then the client opens the door
Passive mode: The client knocks on the server and the server opens the door
so if you are surfing through the proxy, you can't use the active mode, because the server knocks on the door of the Internet proxy server instead of knocking on the client door
and sometimes, The client is not open easily because there is a firewall blocking, unless the client is opening a high-end port greater than 1024
------------------------------------------------------------------ --------------