Differences

This shows you the differences between two versions of the page.

--- ftp:active_vs_passive_ftp [2016/12/14 10:35] – peter
+++ ftp:active_vs_passive_ftp [2020/07/19 22:52] (current) – old revision restored (2020/07/18 10:36) 192.99.10.93
@@ Line 13: / Line 13: @@
 When drawn out, the connection appears as follows:
-{{:ftp:activeftp.gif?400|}}
 In step 1, the client's command port contacts the server's command port and sends the command PORT 1027. The server then sends an ACK back to the client's command port in step 2. In step 3 the server initiates a connection on its local data port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4.
@@ Line 22: / Line 19: @@
-==== Active FTP Example ====
-Below is an example of an active FTP session.
-In this example an FTP session is initiated from test.sharewiz.net (192.168.1.8), a linux box running the standard FTP command line client, to test2.sharewiz.net (192.168.1.9), a linux box running ProFTPd 1.2.2RC2.  The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes.
-There are a few interesting things to consider about this dialog.  Notice that when the PORT command is issued, it specifies a port on the client (192.168.1.8) system, rather than the server.  We will see the opposite behavior when we use passive FTP.  While we are on the subject, a quick note about the format of the PORT command.  As you can see in the example below it is formatted as a series of six numbers separated by commas.  The first four octets are the IP address while the last two octets comprise the port that will be used for the data connection.  To find the actual port multiply the fifth octet by 256 and then add the sixth octet to the total.  Thus in the example below the port number is ( (14*256) + 178), or 3762. A quick check with netstat should confirm this information.
-<code ftp>
-ftp -d test2
-Connected to test2.sharewiz.net.
-test2.sharewiz.net FTP server ready.
-Name (test2:testuser): testuser
----> USER testuser
-Password required for testuser.
-Password: somepassword
----> PASS XXXX
-User testuser logged in.
----> SYST
-UNIX Type: L8
-Remote system type is UNIX.
-Using binary mode to transfer files.
-ftp> ls
-ftp: setsockopt (ignored): Permission denied
----> PORT 192,168,1,8,14,178
-PORT command successful.
----> LIST
-Opening ASCII mode data connection for file list.
-drwx------   3 testuser    users         104 Jul 27 01:45 public_html
-Transfer complete.
-ftp> quit
----> QUIT
-Goodbye.
-</code>
 ===== Passive FTP =====
-In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed.  This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.
-In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server.  When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1).  The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command.  The result of this is that the server then opens a random unprivileged port (P > 1023) and sends P back to the client in response to the PASV command. The client then initiates the connection from port N+1 to port P on the server to transfer data.
-From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:
-  * FTP server's port 21 from anywhere (Client initiates connection)
-  * FTP server's port 21 to ports > 1023 (Server responds to client's control port)
-  * FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
-  * FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)
-When drawn, a passive mode FTP connection looks like this:
-{{:ftp:passiveftp.gif?400|}}
-In step 1, the client contacts the server on the command port and issues the PASV command.  The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection.  In step 3 the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client's data port.
-While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side.  The biggest issue is the need to allow any remote connection to high numbered ports on the server.  Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use.  See Appendix 1 for more information.
-The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode.  As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.
-NOTE: This is no longer the case--use the -p option with the Solaris FTP client to enable passive mode!
-With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client.  Most browsers only support passive mode when accessing ftp:// URLs.  This can either be good or bad depending on what the servers and firewalls are configured to support.\\
-==== Passive FTP Example ====
-Below is an actual example of a passive FTP session.
-In this example an FTP session is initiated from test.sharewiz.net (192.168.1.8), a linux box running the standard FTP command line client, to test2.sharewiz.net (192.168.1.9), a linux box running ProFTPd 1.2.2RC2.  The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes.
-Notice the difference in the PORT command in this example as opposed to the active FTP example.  Here, we see a port being opened on the server (192.168.150.90) system, rather than the client.  See the discussion about the format of the PORT command above, in the Active FTP Example section.
-<code ftp>
-ftp -d test2
-Connected to test2.sharewiz.net.
-test2.sharewiz.net FTP server ready.
-Name (test2:testuser): testuser
----> USER testuser
-Password required for testuser.
-Password: somepassword
----> PASS XXXX
-User testuser logged in.
----> SYST
-UNIX Type: L8
-Remote system type is UNIX.
-Using binary mode to transfer files.
-ftp> passive
-Passive mode on.
-ftp> ls
-ftp: setsockopt (ignored): Permission denied
----> PASV
-Entering Passive Mode (192,168,1,9,195,149).
----> LIST
-Opening ASCII mode data connection for file list
-drwx------   3 testuser    users         104 Jul 27 01:45 public_html
-Transfer complete.
-ftp> quit
----> QUIT
-Goodbye.
-</code>
-===== References =====
-http://slacksite.com/other/ftp.html