![]() ![]() While we are on the subject, a quick note about the format of the PORT command. We will see the opposite behavior when we use passive FTP. Notice that when the PORT command is issued, it specifies a port on the client (192.168.150.80) system, rather than the server. There are a few interesting things to consider about this dialog. Normal server output is shown in black, and user input is in bold. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. In this example an FTP session is initiated from (192.168.150.80), a linux box running the standard FTP command line client, to (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The only things that have been changed are the server names, IP addresses, and user names. Active FTP ExampleBelow is an actual example of an active FTP session. From the client side firewall this appears to be an outside system initiating a connection to an internal client-something that is usually blocked. ![]() The FTP client doesn't make the actual connection to the data port of the server-it simply tells the server what port it is listening on and the server connects back to the specified port on the client. The main problem with active mode FTP actually falls on the client side. Finally, the client sends an ACK back as shown in step 4. In step 3 the server initiates a connection on its local data port to the data port the client specified earlier. ![]() The server then sends an ACK back to the client's command port in step 2. In step 1, the client's command port contacts the server's command port and sends the command PORT 1027. When drawn out, the connection appears as follows: FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port).FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port).FTP server's port 21 to ports > 1024 (Server responds to client's control port).FTP server's port 21 from anywhere (Client initiates connection).The server will then connect back to the client's specified data port from its local data port, which is port 20.įrom the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: ![]() Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.Īctive FTPIn active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Traditionally these are port 21 for the command port and port 20 for the data port. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). The BasicsFTP is a TCP based service exclusively. They also provide a nice picture into what goes on behind the scenes during an FTP session. These session examples should help make things a bit clearer. I am always looking for ways to improve things though, and if you find something that is not quite clear or needs more explanation, please let me know! Recent additions to this document include the examples of both active and passive command line FTP sessions. This may not be the definitive explanation, as the title claims, however, I've heard enough good feedback and seen this document linked in enough places to know that quite a few people have found it to be useful. Hopefully the following text will help to clear up some of the confusion over how to support FTP in a firewalled environment. IntroductionOne of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the difference between active and passive FTP and how best to support either or both of them. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |