Shulou(Shulou.com)06/02 Report--

This article shows you the difference between FTP active mode and passive mode, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Basics:

FTP connects only through TCP and has no UDP component for FTP. FTP differs from other services in that it uses two ports, a data port and a command port (or control port). Usually port 21 is a command port and port 20 is a data port. When mixed with the concept of active / passive mode, the data port may not be 20.

Active Mode FTP:

In active mode, the FTP client connects from any non-special port (N > 1023) to port 21, the command port of the FTP server. The client then listens on Numb1 (Numb1 > = 1024) port and sends commands to the FTP server through Numb1 (Numb1 > = 1024) port. The server, in turn, connects to the data port specified locally by the user, such as port 20.

With the server-side firewall as the foothold, to support active mode FTP, you need to open the ports used in the following interactions:

FTP server command (21) port accepts any port of the client (client initial connection)

FTP server command (21) port to client port (> 1023) (server responds to client command)

FTP server data (20) port to client port (> 1023) (server initialization data connection to client data port)

FTP server data (20) port accepts client port (> 1023) (client sends ACK packets to server data port)

The figure is shown as follows:

In step 1, the command port of the client connects to the command port of the FTP server and sends the command "PORT 1027". Then in step 2, the FTP server returns a "ACK" to the client's command port. In step 3, the FTP server initiates a connection from its own data port (20) to the data port (1027) previously specified by the client, and finally the client returns a "ACK" to the server in step 4.

The main problem with active FTP actually lies in the client. The client of FTP does not actually establish a connection to the data port of the server, it simply tells the server the port number it is listening to, and the server comes back to connect to the specified port of the client. For the client's firewall, this is a connection from the external system to the internal client, which is usually blocked.

Passive mode FTP

In order to solve the problem of the connection initiated by the server to the customer, a different way of FTP connection has been developed. This is called passive mode, or PASV, which is enabled when the client informs the server that it is in passive mode.

In passive FTP, both command connection and data connection are made by the client, which can solve the problem that the incoming connection from the data port from the server to the client is filtered out by the firewall. When a FTP connection is opened, the client opens two arbitrary unprivileged local ports (N >; 1024 and Number1). The first port connects to port 21 of the server, but unlike active FTP, the client does not submit PORT commands and allows the server to connect back and forth to its data port, but to submit PASV commands. The result is that the server opens an arbitrary unprivileged port (P >; 1024) and sends a PORT P command to the client. The client then initiates a connection from local port Number1 to port P of the server to transmit data.

For server-side firewalls, the following communication must be allowed to support passive FTP:

FTP server command (21) port accepts any port of the client (client initial connection)

FTP server command (21) port to client port (> 1023) (server responds to client command)

FTP server data port (> 1023) accepts client port (> 1023) (client initialization data connects to any port specified by the server)

FTP server data port (> 1023) to client port (> 1023) (server sends ACK response and data to client data port)

The figure is shown as follows:

In step 1, the command port of the client connects to the command port of the server and sends the command "PASV". Then in step 2, the server returns the command "PORT 2024", telling the client (server) on which port to listen for the data connection. In step 3, the client initializes a data connection from its own data port to the specified data port on the server side. Finally, the server returns a "ACK" response to the client's data port in step 4.

Passive FTP solves many problems on the client side, but brings more problems to the server side at the same time. The biggest problem is the need to allow connections from any remote terminal to the high port of the server. Fortunately, many FTP daemons, including the popular WU-FTPD, allow administrators to specify the port range used by the FTP server. See Appendix 1 for details.

The second problem is that some clients support passive mode and some do not support passive mode. You must consider how to support these clients and provide them with solutions. For example, the FTP command line tool provided by Solaris does not support passive mode and requires a third-party FTP client, such as ncftp.

With the widespread popularity of WWW, many people are used to using web browsers as FTP clients. Most browsers support passive mode only when accessing URL such as ftp://. Whether this is good or bad depends on the configuration of the server and firewall.

Note:

Some readers have pointed out that when the NAT (Network Address Translation) device accesses the FTP server in active mode, the server cannot be accessed because the NAT device will not cleverly change the IP address in the FTP package.

Summary

The following chart will help administrators remember how each FTP method works:

Active FTP:

Command connection: client > port 1023-> server port 21

Data connection: client > 1023 port 1023-> server 21 port

Data connection: client > port 1023-> server > port 1023

The following is a brief summary of the advantages and disadvantages of active and passive FTP:

Active FTP is beneficial to the management of FTP server, but not to the management of client. Because the FTP server attempts to establish a connection with the client's high random port, which is likely to be blocked by the client's firewall. Passive FTP is good for the management of FTP client, but not for the management of server. Because the client has to establish two connections with the server, one of which is connected to a high random port, which is likely to be blocked by the server-side firewall.

Fortunately, there is a compromise. Since administrators of FTP servers need their servers to have the most customer connections, passive FTP must be supported. We can reduce the exposure of the server's high port by specifying a limited range of ports for the FTP server. In this way, any port outside this range will be blocked by the server's firewall. While this does not eliminate all risks to the server, it greatly reduces the risk. See Appendix 1 for details.

What is the difference between FTP active mode and passive mode? have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.