Shulou(Shulou.com)06/02 Report--

basic knowledge

FTP uses TCP connections only, there is no UDP component for FTP.FTP differs from other services in that it uses two ports, one data port and one command port (or control port). Usually port 21 is the command port and port 20 is the data port. When mixed with the concept of active/passive mode, it is possible that the data port is not 20.

Active Mode FTP

In active mode, FTP clients connect from any non-specific port (N > 1023) to FTP server command port-21. The client then listens on port N+1 (N+1 >= 1024) and sends commands to the FTP server via port N+1 (N+1 >= 1024). The server will in turn connect to the user-specified data port, such as port 20.

From a server-side firewall standpoint, to support active FTP you need to open the ports used in the following interactions:

FTP Server Command (21) Port Accepts Client Arbitrary Port (Client Initial Connection)

FTP server command (21) port to client port (>1023)(server responds to client command)

FTP Server Data (20) Port to Client Port (>1023)(Server Initialized Data Connection to Client Data Port)

FTP server data port (20) accept client port (>1023)(client sends ACK packet to server data port)

It is shown graphically as follows:

In step 1, the client's command port establishes a connection with the FTP server's command port and sends the command "PORT 1027."

In step 2, the FTP server returns an ACK to the client's command port.

In step 3, the FTP server initiates a connection from its own data port (20) to the client's previously specified data port (1027).

Step 4: The client returns an ACK to the server.

The main problem with active FTP is actually on the client side. The FTP client does not actually establish a connection to the server's data port, it simply tells the server what port it is listening on, and the server connects back to the specified port. For client-side firewalls, this is the connection from the external system to the internal client, which is normally blocked.

passive mode FTP

To solve the problem of server-initiated connections to clients, a different FTP connection was developed. This is called passive mode, or PASV, and is enabled when the client notifies the server that it is in passive mode.

In passive FTP, both command and data connections are made by the client, which solves the problem of incoming connections from the server to the client's data port being filtered by the firewall. When opening an FTP connection, the client opens two arbitrary non-privileged local ports (N >; 1024 and N+1). The first port connects to port 21 of the server, but unlike FTP in active mode, the client does not submit the PORT command and allow the server to connect back and forth to its data port, but instead submits the PASV command. The result of this is that the server opens an arbitrary non-privileged port (P >; 1024) and sends the PORT P command to the client. The client then initiates a connection from local port N+1 to port P of the server for data transfer.

For server-side firewalls, the following communications must be allowed to support passive FTP:

FTP Server Command (21) Port Accepts Client Arbitrary Port (Client Initial Connection)

FTP server command (21) port to client port (>1023)(server responds to client command)

FTP server data port (>1023) accepts client port (>1023)(client initializes data connection to any port specified by server)

FTP server data port (>1023) to client port (>1023)(server sends ACK response and data to client data port)

It is shown graphically as follows:

In step 1, the client's command port establishes a connection with the server's command port and sends the command "PASV."

In step 2, the server returns the command "PORT 2024," telling the client (server) which port to listen for data connections.

In step 3, the client initializes a data connection from its own data port to the specified data port on the server side.

Step 4 returns an "ACK" response to the client's data port.

Note: When a NAT(Network Address Translation) device accesses an FTP server in proactive mode, it cannot access the server because the NAT device does not intelligently change the IP address in the FTP packet.

summary

The following chart will help administrators remember how each FTP method works:

Active FTP:

Command Connection: Client> Port 1023-> Server Port 21

Data connection: Client> Port 1023 Port 1023-> Server Port 21

Data connection: Client> Port 1023-> Server> Port 1023

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.