The difference between FTP active mode and passive mode

　　

Basic knowledge:

FTP is only over a TCP connection and there is no UDP component for FTP . FTP differs from other services in that it uses two ports , a data port, and a command port (or control port ). Typically 21 ports are command ports, and20 ports are data ports. When the concept of active/passive mode is mixed, the data port may not be 20.

Active modeFTP:

In active mode, theFTP clientconnects to the FTP server's command port--21 port from any non-special port (N > 1023) . The client then listens on the n+1 (n+1 >= 1024) port and sends commands to the FTP server via the n+1 (n+1 >= 1024) port . The server in turn connects to the user's locally specified data port, such as Port 20.

To support Active mode FTP, the server-side firewall should open the ports used in the following interactions:

• FTP Server command (21) port accepts any client port (client initial connection)
• FTP Server command (21) port to client port (>1023) (Server Response Client command)
• FTP Server data (20) port to client port (>1023) (server initialization data connection to client data port)
• The FTP server data (20) port accepts the client port (>1023) ( the client sends an ACK packet to the server's data port)

The diagram shows the following:

In Step 1, the client's command port establishes a connection to the FTP server's command port and sends the command "Port 1027". Then in Step 2, theFTP server returns an "ACK" to the client's command port. In Step 3, theFTP server initiates a connection from its own data port (20) to the previously specified data port (1027) of the client, and finally the client returns an "ACK" to the server in step 4.

The main problem with active FTP is actually the client. The FTP client does not actually establish a connection to the server data port, it simply tells the server to listen to the port number itself, the server back to connect the client this specified port. For the client's firewall, this is the connection from the external system to the internal client, which is usually blocked.

Passive modeFTP

In order to solve the problem that the server initiates the connection to the customer, people have developed a different way of FTP connection. This is called passive, or PASV, which is enabled when the client notifies the server that it is in passive mode.

In passive mode FTP, both the command connection and the data connection are made by the client, which resolves the problem that the in-direction connection of the data port from the server to the client is filtered out by the firewall. When an FTP connection is turned on, the client opens two arbitrary non-privileged local ports (N >; 1024 and n+1). The first port connects to the server's port 21, but unlike proactive FTP, the client does not submit the Port command and allows the server to back up its data port, but instead submits the PASV command. The result is that the server opens an arbitrary non-privileged port (P >; 1024) and sends the Port P command to the client. The client then initiates a connection from the local port n+1 to the server's port p to transmit the data.

For a server-side firewall, the following traffic must be allowed to support passive FTP:

• FTP Server command (21) port accepts any client port (client initial connection)
• FTP Server command (21) port to client port (>1023) (Server Response Client command)
• FTP Server data port (>1023) accepts client ports (>1023) (client-initiated data is connected to any port specified by the server)
• FTP Server data port (>1023) to the client port (>1023) (the server sends an ACK response and data to the client's data port)

The diagram shows the following:

In Step 1, the client's command port establishes a connection to the server's command port and sends the command "PASV". Then in Step 2, the server returns the command "Port 2024", which tells the client (server) which port to use to listen for data connections. In Step 3, the client initializes a data connection from its own data port to the specified data port on the server side. The last server returns an "ACK" response to the client's data port in step 4.

The passive way of FTP solves many problems on the client side, but it also brings more problems to the server. The biggest problem is the need to allow connections from any remote terminal to the server high port. Fortunately, many ftp daemons, including the popular wu-ftpd, allow administrators to specify the port range used by the FTP server. For more information, see Appendix 1.  

The second problem is that the client has support for passive mode, some do not support passive mode, and must consider how to support these clients and provide them with a workaround. For example,the Solaris-provided FTP command-line tool does not support passive mode and requires a third-party FTP client, such as ncftp.

With the widespread popularity of www, many people are accustomed to using Web browsers as FTP clients. Most browsers support passive mode only when accessing URLs such as ftp://. Whether this is good or bad depends on the configuration of the server and firewall.

Note:

Readers have pointed out that when the NAT (Network address translation) device accesses the FTP server in active mode, the NAT device does not intelligently change the IP address in the FTP packet , resulting in the inability to access the server.

Summarize

The chart below will help administrators remember that eachHow the FTP works:

Activeftp:
    Command connection: client  >1023 Port  ->  server  21 Port
    data connection: client  >1023 Port  <-  server  20 Port  

Passive ftp:
    Command connection: client  >1023 Port  ->  server  21 Port
    data connection: client  >1023 Port 　　 ->  server  >1023 Port  

The following is a brief summary of the pros and cons of the active and passive ftp:  

Active FTP is advantageous to the management of FTP server, but it is disadvantageous to the management of the client. Because the FTP server attempts to establish a connection to the client's high-level random port, the port is likely to be blocked by the client's firewall. Passive FTP is advantageous to the management of FTP client, but it is disadvantageous to server side management. Because the client is going to establish two connections to the server, one of them is connected to a high-level random port, and the port is likely to be blocked by the server-side firewall.

Fortunately, there is a compromise. Since the FTP server administrator needs their servers to have the most client connections, passive FTP must be supported . We can reduce the exposure of the server high port by specifying a limited port range for the FTP server. Thus, any port that is not in this range will be blocked by the server's firewall. While this does not eliminate all threats against the server, it greatly reduces the risk. See Appendix 1 for more information .

Resources 

O ' Reilly published the Internet Firewall (second edition,Brent Chapman,Elizabeth Zwicky) is a very good reference. It describes how various Internet protocols work, as well as examples of firewalls.  

The most authoritative FTP reference is RFC 959, which is the official specification of the FTP protocol. the RFC information can be downloaded from many websites, for example:ftp://nic.merit.edu/documents/rfc/rfc0959.txt .

Active FTP vs. Passive FTP, appendix 1

The difference between FTP active mode and passive mode