Active FTP vs. Passive FTP, a Definitive Explanation
Contents:
Introduction
The Basics
Active FTP
Active FTP Example
Passive FTP
Passive FTP Example
Summary
References
Appendix 1: Configuration of Common FTP Servers
Introduction
One of the most commonly seen questions when dealing with firewalls and other In
ternet connectivity issues is the difference between active and passive FTP and
how best to support either or both of them. Hopefully the following text will he
lp to clear up some of the confusion over how to support FTP in a firewalled env
ironment.
This may not be the definitive explanation, as the title claims, however, I/’ve
heard enough good feedback and seen this document linked in enough places to kno
w that quite a few people have found it to be useful. I am always looking for wa
ys to improve things though, and if you find something that is not quite clear o
r needs more explanation, please let me know! Recent additions to this document
include the examples of both active and passive command line FTP sessions. These
session examples should help make things a bit clearer. They also provide a nic
e picture into what goes on behind the scenes during an FTP session. Now, on to
the information...
The Basics
基础
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is
an unusual service in that it utilizes two ports, a /’data/’ port and a /’comma
nd/’ port (also known as the control port). Traditionally these are port 21 for
the command port and port 20 for the data port. The confusion begins however, wh
en we find that depending on the mode, the data port is not always on port 20.
ftp是个基于tcp协议特有服务,并没有udp协议的ftp. 与众不同的是ftp使用2个端口,一个
数据端口和一个命令端口(也可叫做控制端口)。通常来说21端口是命令端口而20端口则作
为数据端口。无论如何混淆发生了,当我们发现根据模式的不同,数据端口并不总是20。
Active FTP
In active mode FTP the client connects from a random unprivileged port (N >; 102
4) to the FTP server/’s command port, port 21. Then, the client starts listening
to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server wi
ll then connect back to the client/’s specified data port from its local data po
rt, which is port 20.
主动ftp
在主动模式ftp客户端从一个随机的非特权端口N(N>;1024)连接到ftp服务器的命令端口,
就是21端口。于是客户端开始监听端口N+1同时发送ftp命令“port N+1”到ftp服务器。服
务器于是使用本地的数据端口也就是20端口回连到客户端指定的数据端口(也就是N+1)。
注:and sends the FTP command PORT N+1 to the FTP server.
刚开始不知道怎么翻译,后来查询了port命令,才知道port命令是客户端用来告诉服务
器自己将要使用那个端口来作为自己的数据端口。
From the server-side firewall/’s standpoint, to support active mode FTP the foll
owing communication channels need to be opened:
FTP server/’s port 21 from anywhere (Client initiates connection)
FTP server/’s port 21 to ports >; 1024 (Server responds to client/’s control por
t)
FTP server/’s port 20 to ports >; 1024 (Server initiates data connection to clie
nt/’s data port)
FTP server/’s port 20 from ports >; 1024 (Client sends ACKs to server/’s data po
rt)
从服务器端防火墙的立场来说,必须打开下面的通讯端口才能支持主动模式的ftp:
从任何端口到服务器的21端口的连接 (入;客户端初始化的连接)
服务器的21端口到任何大于1024的端口连接 (出;服务器端响应到客户端的控制端口的连
接)
服务器的20端口到任何大于1024的端口连接 (出;服务器端初始化数据连接到客户端的数
据连接端口)
从任何大于1024端口到服务器的20端口连接 (入;客户端发送ACks到服务器的数据端口
的连接)
When drawn out, the connection appears as follows:
具体说来,连接大概是这样建立的:
In step 1, the client/’s command port contacts the server/’s command port and se
nds the command PORT 1027. The server then sends an ACK back to the client/’s co
mmand port in step 2. In step 3 the server initiates a connection on its local d
ata port to the data port the client specified earlier. Finally, the client send
s an ACK back as shown in step 4.
在第1步中,客户端的命令端口与ftp服务器的命令端口建立连接,并发送命令“PORT 1027
”。然后在第2步中,ftp服务器给客户端的命令端口返回一个/"ACK/"。在第3步中,ftp服
务器发起一个从自己本地数据端口(20)到客户端先前指定的数据端口的连接,然后客户端在
第4步中给服务器端返回一个/"ACK/".
The main problem with active mode FTP actually falls on the client side. The FTP
client doesn/’t make the actual connection to the data port of the server--it s
imply tells the server what port it is listening on and the server connects back
to the specified port on the client. From the client side firewall this appears
to be an outside system initiating a connection to an internal client--somethin
g that is usually blocked.
主动模式的FTP中的主要问题实际上在于客户端。FTP的客户端并没有发起一个到服务器数据
端口的连接,它只是简单的告诉服务器自己监听的端口号,服务器再回来连接这个指定的端
口。对客户端的防火墙来说这是一个从外部系统初始建立的一个指向内部客户的连接,通常
这是会被阻塞的。
Active FTP Example
主动FTP的例子
Below is an actual example of an active FTP session. The only things that have b
een changed are the server names, IP addresses, and user names. In this example
an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linu
x box running the standard FTP command line client, to testbox2.slacksite.com (1
92.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is
used with the FTP client to show what is going on behind the scenes. Everything
in red is the debugging output which shows the actual FTP commands being sent t
o the server and the responses generated from those commands. Normal server outp
ut is shown in black, and user input is in bold.
下面是一个主动FTP会话的真实的例子。唯一改变的是服务器的名称,IP地址和用户名称。
在这个例子中,FTP会话从testbox1.slacksite.com (192.168.150.80)(一个运行标准FTP
命令行客户端的linux终端)发起到testbox2.slacksite.com (192.168.150.90)(一个运行
ProFTPd 1.2.2RC2的linux终端)。debugging(-d)标记用来在FTP客户端显示连接场景背
后进行的操作。红色字体的文字是debugging信息,显示的是发送到服务器的实际FTP命令和
所产生的回应信息。标准的服务器输出信息用黑色字体表示,用户的输入信息用加粗字体表
示。
There are a few interesting things to consider about this dialog. Notice that wh
en the PORT command is issued, it specifies a port on the client (192.168.150.80
) system, rather than the server. We will see the opposite behavior when we use
passive FTP. While we are on the subject, a quick note about the format of the P
ORT command. As you can see in the example below it is formatted as a series of
six numbers separated by commas. The first four octets are the IP address while
the second two octets comprise the port that will be used for the data connectio
n. To find the actual port multiply the fifth octet by 256 and then add the sixt
h octet to the total. Thus in the example below the port number is ( (14*256) +
17, or 3762. A quick check with netstat should confirm this information.
仔细考虑这个对话过程我们会发现一个有趣的事情。我们可以看到当 PORT 命令被提交时,
它指定了一个客户端(192.168.150.80)系统的端口而不是服务器端的。当我们用被动FTP时
我们会看到相反的现象。我们再来关注PORT命令的格式。就象你在下面的例子看到的一样,
它是一个由六个被逗号隔开的数字组成的序列。前四个表示IP地址,后两个组成了数据连接
所用到的端口号。用第五个数*256再加上第六个数就得到了实际的端口号( (14*256) + 17
3762。我们可以用netstat来验证这个端口信息。
testbox1: % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
--->; USER slacker
331 Password required for slacker.
Password: TmpPass
--->; PASS XXXX
230 User slacker logged in.
--->; SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>; ls
ftp: setsockopt (ignored): Permission denied
--->; PORT 192,168,150,80,14,178
200 PORT command successful.
--->; LIST
150 Opening ASCII mode data connection for file list.
drwx------ 3 slacker users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp>; quit
--->; QUIT
221 Goodbye.
Passive FTP
被动FTP
In order to resolve the issue of the server initiating the connection to the cli
ent a different method for FTP connections was developed. This was known as pass
ive mode, or PASV, after the command used by the client to tell the server it is
in passive mode.
为了解决服务器发起到客户的连接的问题,另一种不同的FTP连接模式出现了。这就是所谓
的被动模式,或者叫做PASV,当客户端通知服务器它处于被动模式时才启用。
In passive mode FTP the client initiates both connections to the server, solving
the problem of firewalls filtering the incoming data port connection to the cli
ent from the server. When opening an FTP connection, the client opens two random
unprivileged ports locally (N >; 1024 and N+1). The first port contacts the ser
ver on port 21, but instead of then issuing a PORT command and allowing the serv
er to connect back to its data port, the client will issue the PASV command. The
result of this is that the server then opens a random unprivileged port (P >; 1
024) and sends the PORT P command back to the client. The client then initiates
the connection from port N+1 to port P on the server to transfer data.
在被动FTP模式中,客户端发起两种连接,这解决了防火墙过滤从服务器到客户端的入方向
的数据端口连接的问题。当开启一个FTP连接时,客户端打开两个随机非特权本地端口(N >
; 1024 和N+1)。第一个端口连接服务器的21端口,与主动FTP模式中提交PORT命令并允许
服务器来回连它的数据端口不同,客户端会提交PASV命令。结果是服务器会开启一个随机的
非特权端口(P >; 1024),并发送PORT P命令给客户端。然后客户端发起从本地端口N+1到
服务器的端口P的连接来传送数据。
From the server-side firewall/’s standpoint, to support passive mode FTP the fol
lowing communication channels need to be opened:
从服务器端防火墙的立场来说,必须打开下面的通讯端口才能支持被动模式的ftp:
FTP server/’s port 21 from anywhere (Client initiates connection)
FTP server/’s port 21 to ports >; 1024 (Server responds to client/’s control por
t)
FTP server/’s ports >; 1024 from anywhere (Client initiates data connection to r
andom port specified by server)
FTP server/’s ports >; 1024 to remote ports >; 1024 (Server sends ACKs (and data
) to client/’s data port)
从任何端口到服务器的21端口的连接 (入;客户端初始化的连接)
服务器的21端口到任何大于1024的端口连接 (出;服务器端响应到客户端的控制端口的连
接)
从任何端口到服务器的大于1024端口的连接 (入;客户端初始化数据连接到服务器端的随
机数据连接端口)
服务器的大于1024端口到远程的大于1024的端口连接 (出;服务器端发送ACks到客户端的
数据端口的连接)
When drawn, a passive mode FTP connection looks like this:
具体说来,一个被动模式的FTP连接大概是这样建立的:
In step 1, the client contacts the server on the command port and issues the PAS
V command. The server then replies in step 2 with PORT 2024, telling the client
which port it is listening to for the data connection. In step 3 the client then
initiates the data connection from its data port to the specified server data p
ort. Finally, the server sends back an ACK in step 4 to the client/’s data port.
在第1步中,客户端的命令端口与ftp服务器的命令端口建立连接,并发送命令“PASV”。然
后在第2步中,ftp服务器返回命令/"ORT 2024/",告诉客户端哪个端口用来侦听数据连接。
在第3步中,客户端初始化一个从自己的数据端口到服务器端指定的数据端口的数据连接。
最后服务器在第4步中给客户端的数据端口端返回一个/"ACK/"。
While passive mode FTP solves many of the problems from the client side, it open
s up a whole range of problems on the server side. The biggest issue is the need
to allow any remote connection to high numbered ports on the server. Fortunatel
y, many FTP daemons, including the popular WU-FTPD allow the administrator to sp
ecify a range of ports which the FTP server will use. See Appendix 1 for more in
formation.
被动模式的FTP解决了客户端的许多问题,但同时给服务器端带来了更多的问题。最大的问
题是需要允许从任意远程终端到服务器高位端口的连接。幸运的是,许多FTP守护程序,包
括流行的WU-FTPD允许管理员指定FTP服务器使用的端口范围。详细内容参看附录1。
The second issue involves supporting and troubleshooting clients which do (or do
not) support passive mode. As an example, the command line FTP utility provided
with Solaris does not support passive mode, necessitating a third-party FTP cli
ent, such as ncftp.
第二个问题是客户端有的支持被动模式,有的不支持被动模式,必须考虑如何能支持这些客
户端,以及为他们提供解决办法。例如,Solaris提供的FTP命令行工具就不支持被动模式,
需要第三方的FTP客户端,比如ncftp。
With the massive popularity of the World Wide Web, many people prefer to use the
ir web browser as an FTP client. Most browsers only support passive mode when ac
cessing [url]ftp://URLs.[/url] This can either be good or bad depending on what the server
s and firewalls are configured to support.
随着WWW的广泛流行,许多人习惯用web浏览器作为FTP客户端。大多数浏览器访问[url]ftp://URL[/url]
s时仅支持被动模式。这到底是好还是坏取决于服务器和防火墙的配置。
Passive FTP Example
被动FTP的例子
Below is an actual example of a passive FTP session. The only things that have b
een changed are the server names, IP addresses, and user names. In this example
an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linu
x box running the standard FTP command line client, to testbox2.slacksite.com (1
92.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is
used with the FTP client to show what is going on behind the scenes. Everything
in red is the debugging output which shows the actual FTP commands being sent t
o the server and the responses generated from those commands. Normal server outp
ut is shown in black, and user input is in bold.
下面是一个被动FTP会话的真实的例子。唯一改变的是服务器的名称,IP地址和用户名称。
在这个例子中,FTP会话从testbox1.slacksite.com (192.168.150.80)(一个运行标准FTP
命令行客户端的linux终端)发起到testbox2.slacksite.com(192.168.150.90)(一个运行P
roFTPd1.2.2RC2的linux终端)。debugging(-d)标记用来在FTP客户端显示连接场景背后
进行的操作。红色字体的文字是debugging信息,显示的是发送到服务器的实际FTP命令和所
产生的回应信息。标准的服务器输出信息用黑色字体表示,用户的输入信息用加粗字体表示
。
Notice the difference in the PORT command in this example as opposed to the acti
ve FTP example. Here, we see a port being opened on the server (192.168.150.90)
system, rather than the client. See the discussion about the format of the PORT
command above, in the Active FTP Example section.
注意此例中的PORT命令与主动FTP例子的不同。这里,我们看到是服务器端(192.168.150.90
)而不是客户端的一个端口被打开了。可以跟上面的主动FTP例子中的PORT命令格式对比一下
。
testbox1: % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
--->; USER slacker
331 Password required for slacker.
Password: TmpPass
--->; PASS XXXX
230 User slacker logged in.
--->; SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>; passive
Passive mode on.
ftp>; ls
ftp: setsockopt (ignored): Permission denied
--->; PASV
227 Entering Passive Mode (192,168,150,90,195,149).
--->; LIST
150 Opening ASCII mode data connection for file list
drwx------ 3 slacker users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp>; quit
--->; QUIT
221 Goodbye.
Summary
总结
The following chart should help admins remember how each FTP mode works:
下面的图表会帮助管理员们记住每种FTP模式是怎样工作的:
Active FTP :
command : client >;1024 ->; server 21
data : client >;1024 <- server 20
主动FTP:
命令连接:客户端 >;1024端口 ->; 服务器端 21端口
数据连接:客户端 >;1024端口 <- 服务器端 20端口
Passive FTP :
command : client >;1024 ->; server 21
data : client >;1024 ->; server >;1024
被动FTP:
命令连接:客户端 >;1024端口 ->; 服务器端 21端口
数据连接:客户端 >;1024端口 ->; 服务器端 >;1024端口
A quick summary of the pros and cons of active vs. passive FTP is also in order:
下面是赞成与反对主动与被动FTP的简要总结:
Active FTP is beneficial to the FTP server admin, but detrimental to the client
side admin. The FTP server attempts to make connections to random high ports on
the client, which would almost certainly be blocked by a firewall on the client
side. Passive FTP is beneficial to the client, but detrimental to the FTP server
admin. The client will make both connections to the server, but one of them wil
l be to a random high port, which would almost certainly be blocked by a firewal
l on the server side.
主动FTP对FTP服务器端的管理有利,但对客户端的管理不利。因为FTP服务器企图与客户端
的高位随机端口建立连接,而这个端口很有可能被客户端的防火墙阻塞掉。被动FTP对FTP客
户端的管理有利,但对服务器端的管理不利。因为客户端要与服务器端建立两个连接,其中
一个连到一个高位随机端口,而这个端口很有可能被服务器端的防火墙阻塞掉。
Luckily, there is somewhat of a compromise. Since admins running FTP servers wil
l need to make their servers accessible to the greatest number of clients, they
will almost certainly need to support passive FTP. The exposure of high level po
rts on the server can be minimized by specifying a limited port range for the FT
P server to use. Thus, everything except for this range of ports can be firewall
ed on the server side. While this doesn/’t eliminate all risk to the server, it
decreases it tremendously. See Appendix 1for more information.
幸运的是,有折衷的办法。既然FTP服务器的管理员需要他们的服务器有最多的客户连接,
那么必须得支持被动FTP。我们可以通过指定一个有限的FTP服务器使用端口范围来减小服务
器高级端口的暴露。这样,任何不属于这个范围的端口会被服务器的防火墙阻塞。虽然这没
有消灭所有针对服务器的危险,但它大大减少了危险。详细信息参看附录1。
References
参考资料
An excellent reference on how various internet protocols work and the issues inv
olved in firewalling them can be found in the O/’Reilly and Associates book, Bui
lding Internet Firewalls, 2nd Ed, by Brent Chapman and Elizabeth Zwicky.
O/’Reilly出版的《组建Internet防火墙》(第二版,Brent Chapman,Elizabeth Zwicky著
)是一本很不错的参考资料。里面讲述了各种Internet协议如何工作,以及有关防火墙的例
子。
Finally, the definitive reference on FTP would be RFC 959, which sets forth the
official specifications of the FTP protocol. RFCs can be downloaded from numerou
s locations, including [url]ftp://nic.merit.edu/documents/rfc/rfc0959.txt.[/url]
最权威的FTP参考资料是RFC 959,它是FTP协议的官方规范。RFC的资料可以从许多网站上下
载