Why does the client software work and the browser cannot connect to the FTP server?

For ease of work, the FTP server is quickly configured using vsftp on rehl5, and Port 20 and port 21 are enabled in/etc/sysconfig/iptables.

I opened the IE browser on my computer and found that the client could not be accessed anonymously, but it could be accessed through the command line method. At the same time, it could be accessed through the FTP client software.

This is strange? According to the above analysis, the server settings should be correct, and the network is also correct. Why?

By querying data, we found that FTP services have active and passive modes.

Check the/etc/vsftpd. conf file and find that no passive mode is set. In the tools of my IE browser-> Internet-> advanced, the IE browser is set to use the Passive FTP mode.

Therefore, I modified the vsftpd. conf file and set the FTP server to passive mode. The modification method is as follows:

Pasv_enable = Yes
Pasv_min_port = 3000
Pasvanderbilt max_port = 4000

Modify/etc/sysconfig/iptables to open ports 3000 to 4000. For more information, see.

Why do I need to set the minimum and maximum ports in passive mode?

In this case, you need to understand the mechanism of FTP service in active and passive modes:

FTP is based on the TCP protocol rather than UDP. Unlike other protocols, FTP uses two control commands (command port) and data port.

Generally, port 21 is used as the command port and Port 20 as the data port.

I. Active Mode

1. The client randomly initiates a connection from a port greater than 1023 (such as 1030) to port 21 on the server based on the FTP protocol.

2. The server confirms the connection from port 21 to the client.

3. server port 20ActivePort 1031 (1030 + 1) connecting to the client

4. The client confirms the connection from Port 1031 to Port 20.

This forms two connections between control commands and data transmission, 21-1030 20-1031

However, one thing to note when using the active mode is that the server sends a connection request to the client, which may be considered as a network intrusion at the Client Firewall, it may be rejected by the client.

Ii. Passive Mode

1. The client randomly initiates a connection from a port greater than 1023 (such as 1030) to port 21 on the server based on the FTP protocol.

2. The server confirms the connection from port 21 to the client,

3. The client listens to data connections, such as 1023, on which port (> 2000) the high-speed server must use the Command Channel.

4. The client initiates a connection from Port 1031 to port 2000 to establish a data transmission channel.

5. Confirm the connection from Server 2000 to client port 1031.

This forms two connections between control commands and data transmission, 21-1030 2000-1031

However, in the passive mode, you must note that the server listens to connection requests from clients over the agreed port greater than 1023. Therefore, you must open this port on the firewall side of the server.

Iii. Summary

Active FTP:

Command:Client> 1023-> server 21

Data:Client> 1023 <-server 20

Passive FTP:

Command:Client> 1023-> server 21

Data:Client> 1023-> Server> 1023

The active mode is advantageous to the server, and the passive mode is advantageous to the client. However, since the server needs to provide FTP services, it is necessary to set firewall rules on the server side to provide passive mode services, rather than requiring all clients to Set firewall rules to adapt to the active service mode. Of course, when the server provides the passive mode service, for security reasons, you should set the port range for the client to initiate a data connection.

Pasv_min_port = 3000
Pasvanderbilt max_port = 4000

That is, the client can initiate a data connection to the port between port 3000 and port 4000.

The following is an English section on a foreign website:

Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. the FTP server attempts to make connections to random high ports on the client, which wowould almost certainly be blocked by a firewall on the client side. passive FTP is beneficial to the client, but detrimental to the FTP server admin. the client will make both connections to the server, but one of them will be to a random high port, which wowould almost certainly be blocked by a firewall on the server side.