FTP active mode (port) and passive mode (PASV) (transfer)

Source: Internet
Author: User
Tags ftp commands ftp connection ftp client ftp protocol

 

From: http://www.phpweblog.net/killjin/archive/2008/01/06/2653.html

 

Directory

Opening Remarks
Basic
Active FTP
Example of active FTP
Passive FTP
Example of Passive FTP
Summary
References

 

Opening Remarks
One of the most common challenges when dealing with Firewall and other network connection problems is the difference between active FTP and Passive FTP and how to perfectly support them. Fortunately, this article helps you clear some confusion about how FTP is supported in the firewall environment.

This article may not be an authoritative explanation as the title claims, but I have heard a lot of good feedback and I have seen that this article has been cited in many places, many people think it is useful. Although I have been looking for methods for improvement, if you find that you are not clear enough about it, please let me know more! The latest modification is an example of commands in active and passive FTP sessions. Examples of these sessions should be helpful for better understanding the problem. The example also provides a great example to explain the FTP session procedure. Now, the question begins...

 

Basic
FTP is a TCP-based service and does not support udp. What is different is that FTP uses two ports, one data port and one command port (also called control port ). Generally, these two ports are 21-command port and 20-data port. However, when we find that port 20 is not always different based on the (FTP work) method, confusion arises.

 

Active FTP
The active FTP is like this: the client connects to the command port of the FTP server from an arbitrary non-privileged port n (n>; 1024), that is, port 21. Then the client starts listening to port n + 1 and sends the FTP command "port n + 1" to the FTP server. The server then connects to the data port (n + 1) specified by the client from its own data port (20 ).

For the firewall before the FTP server, you must allow the following communication to support active FTP:
Port 21 from any port to the FTP server (client-initiated connection S <-C)
Port 21 of the FTP server to port greater than 1023 (the server responds to the control port S-> C of the client)
Port 20 of the FTP server to port greater than 1023 (the data port S-> C of the server to initialize data connection to the client)
Port 20 from port 1023 to the FTP server (the client sends an ACK response to the server's data port S <-C)


The connection process looks like this:
 

In step 2, the client's command port establishes a connection with the FTP server's command port and sends the command "port 1st ". In step 2, the FTP server returns an "Ack" to the client's command port ". In step 2, the FTP server initiates a connection from its own data port (20) to the data port (3rd) previously specified by the client, the client returns an "Ack" to the server in step 3 ".

The main problem with active FTP is the client. The FTP client does not actually establish a connection to the server's data port. It simply tells the server the port number it listens to and the server returns to connect to the specified port of the client. For the client's firewall, This is a connection established from the external system to the internal client, which is usually blocked.

 

Example of active FTP
The following is an example of an active FTP session. Of course, the server name, IP address, and user name have been changed. In this example, the FTP session starts from testbox1.slacksite.com (192.168.150.80), a Linux workstation running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a Linux workstation running ProFTPD 1.2.2rc2. The debugging (-d) option is used to display the detailed connection process on the FTP client. The red text is the debugging information, showing the actual FTP commands sent to the server and the response information. The output information of the server is displayed in black and in bold.

Think carefully about this conversation and we will find some interesting things. We can see that when the PORT command is submitted, it specifies a port on the client (192.168.150.80) instead of the server. When we use Passive FTP, we will see the opposite phenomenon. Let's take a look at the PORT command format. As you can see in the following example, it is a sequence consisting of six numbers separated by commas. The first four are IP addresses, and the last two are the port numbers used for data connection. Multiply the fifth number by 256 and add the sixth number to obtain the actual port number. In the following example, the port number is (14*256) + 178) = 3762. We can use netstat to verify the port information.

Testbox1: {/home/p-t/Slacker/public_html} % FTP-D testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2: slacker): slacker
---> User slacker
331 Password required for slacker.
Password: tmppass
---> Pass xxxx
230 user slacker logged in.
---> Syst
215 UNIX type: l8
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> ls
FTP: setsockopt (ignored): Permission denied
---> Port 192,168,150, 178
200 PORT command successful.
---> List
150 opening ASCII mode data connection for file list.
Drwx ------ 3 slacker users 104 Jul 27 public_html
226 transfer complete.
Ftp> quit
---> Quit
221 goodbye.

 

Passive FTP
To solve the problem that the server initiates a connection to the customer, we developed a different FTP connection method. This is the so-called passive mode or PASV, Which is enabled only when the client notifies the server that it is in passive mode.

In the Passive ftp mode, both the command connection and data connection are performed by the client, so that the firewall can filter out the inbound connections from the server to the client's data port. When an FTP connection is enabled, the client opens two arbitrary non-privileged local ports (n>; 1024 and n + 1 ). The first port connects to port 21 of the server, but unlike the active FTP, the client does not submit the PORT command and allows the server to connect to its data port back and forth. Instead, it submits the PASV command. The result is that the server opens any non-privileged port (P>; 1024) and sends the port p command to the client. Then the client initiates a connection from the local port n + 1 to the port P on the server to transmit data.

For the server-side firewall, the following communication must be allowed to support Passive FTP:
Port 21 from any port to the server (client-initiated connection S <-C)
Port 21 of the server to any port greater than 1023 (the server responds to the connection s-> C from the control port of the client)
Port 1023 or greater from any port to the server (inbound; the client initializes the data to connect to any port specified by the server S <-C)
Port number greater than 1023 of the server to port number greater than 1023 of the remote server (outbound; the server sends ack response and data to the client's data port S-> C)

The Passive FTP connection process looks like this:
 

In step 2, the client's command port establishes a connection with the server's command port and sends the command "PASV ". In step 2, the server returns the "Port 2nd" command to tell the client (server) which port is used to listen for data connections. In step 2, the client initializes a data connection from its own data port to the data port specified by the server. Finally, the server returns an "Ack" response to the client's data port in step 3.

Passive FTP solves many client problems, but it also brings more problems to the server. The biggest problem is that you need to allow connections from any remote terminal to a high port on the server. Fortunately, many FTP daemon, including the Popular WU-FTPD, allow administrators to specify the port range used by the FTP server. For more information, see Appendix 1.

The second problem is that some clients support the passive mode and some do not support the passive mode. You must consider how to support these clients and provide them with solutions. For example, the FTP command line tool provided by Solaris does not support passive mode and requires a third-party FTP client, such as ncftp.

With the popularity of WWW, many people are used to using Web browsers as FTP clients. Most browsers only support passive mode when accessing a URL such as ftp. Whether this is good or bad depends on the configuration of the server and firewall.

 

Example of Passive FTP
The following is an actual example of a Passive FTP session, but the server name, IP address, and user name have been changed. In this example, the FTP session starts from testbox1.slacksite.com (192.168.150.80), a Linux workstation running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a Linux workstation running ProFTPD 1.2.2rc2. The debugging (-d) option is used to display the detailed connection process on the FTP client. The red text is the debugging information, showing the actual FTP commands sent to the server and the response information. The output information of the server is displayed in black and in bold.

Note that the PORT command in this example is different from the active FTP example. Here, we can see that the server (192.168.150.90) is opened instead of a port of the client. You can compare the PORT command format in the preceding active FTP example.

Testbox1: {/home/p-t/Slacker/public_html} % FTP-D testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2: slacker): slacker
---> User slacker
331 Password required for slacker.
Password: tmppass
---> Pass xxxx
230 user slacker logged in.
---> Syst
215 UNIX type: l8
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> passive
Passive mode on.
Ftp> ls
FTP: setsockopt (ignored): Permission denied
---> PASV
227 entering passive mode (192,168,150, 90,195,149 ).
---> List
150 opening ASCII mode data connection for file list
Drwx ------ 3 slacker users 104 Jul 27 public_html
226 transfer complete.
Ftp>; quit
---> Quit
221 goodbye.

 

Summary
The following chart helps administrators remember how each FTP method works:

Active FTP:
Command connection: client> 1023 port> server port 21
Data Connection: client> port 1023 <-Port 20 of the server

Passive FTP:
Command connection: client> 1023 port> server port 21
Data Connection: client> 1023 port> Server> 1023 Port

 

The following is a brief summary of the advantages and disadvantages of active and passive ftp:

Active FTP is advantageous for FTP server management, but unfavorable for client management. The FTP server tries to establish a connection with the high random port of the client, and the port is probably blocked by the firewall of the client. Passive FTP is advantageous for FTP Client Management, but unfavorable for server management. Because the client needs to establish two connections with the server, one of which is connected to a high random port, and this port may be blocked by the server firewall.

Fortunately, there is a compromise. Since the FTP server administrator needs the most client connections to their server, Passive FTP must be supported. You can specify a limited port range for the FTP server to reduce the exposure of the server's high port. In this way, any port out of this range will be blocked by the server's firewall. Although this does not eliminate all risks against servers, it significantly reduces the risks.


References

O'reilly's "build Internet firewall" (version 2, Brent Chapman, Elizabeth Zwicky) is a good reference. This section describes how various Internet protocols work and examples of firewalls.

The most authoritative FTP reference is RFC 959, which is the official specification of the FTP protocol. RFC documents can be downloaded from many websites, such as http://www.cnblogs.com/itech/admin/ftp://nic.merit.edu/documents/rfc/rfc0959.txt.

Http://www.cnblogs.com/itech/archive/2011/02/12/1952828.html

 

FTP active mode (port) and passive mode (PASV) (transfer)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.