Active mode FTP:
In active mode, FTP clients download data from any non-dedicated port (n >;; 1023) is connected to the command port of FTP server-port 2 1. Then, the client sends the message in N+1(N+1>: =1024) port monitor, and sends the message through N+1(N+1>; = 1024) port sends commands to FTP server. The server will be connected to the data port specified locally by the user in turn, such as port 20.
Based on the server-side firewall, to support active mode FTP, you need to open the ports used in the following interactions:
The FTP server commands (2 1) port to accept any port of the client (initial connection of the client).
L FTP server command (2 1) port to client port (>; 1023) (server responds to client command)
L FTP server data (20) port to client port (>: 1023) (server initialization data is connected to client data port)
L FTP server data (20) port accepts client port (>: 1023) (the client sends an ACK packet to the server data port).
As follows:
In step 1, the command port of the client establishes a connection with the command port of the FTP server and sends the command "port 1027". Then in step 2, the FTP server returns "ACK" to the command port of the client. In step 3, the FTP server initiates a connection from its own data port (20) to the data port previously designated by the client (1027), and finally the client returns "ACK" to the server in step 4.
The main problem of active FTP actually lies in the client. The FTP client does not actually establish a connection to the server data port. It just tells the server the port number it listens to, and then the server comes back and connects to the port specified by the client. For the firewall of the client, this is to establish a connection from the external system to the internal client, which is usually blocked.
Examples of active FTP:
The following is an example of an active FTP session. Of course, the server name, IP address and user name have all been changed. In this example, the FTP session comes from testbox1.slacksite.com (192.168.150.80), a Linux workstation running a standard FTP command-line client. Initiated to testbox2.slacksite.com (192.168.150.90), the red text of a Linux workstation running ProFTPd 1.2 is debugging information, which shows the actual FTP command sent to the server and the generated response information. The output information of the server is shown in black, and the input information of the user is shown in bold.
When we carefully consider this conversation, we will find some interesting things. We can see that when the PORT command is submitted, it specifies a port of the client (192.168.438+050.80) instead of the server's. When we use passive FTP, we will see the opposite phenomenon. Let's pay attention to the format of the PORT command. As you can see in the following example, it is a sequence of six numbers separated by commas. The first four digits represent the IP address, and the last two digits constitute the port number of the data connection. Multiply the fifth number by 256 and add the sixth number to get the actual port number. The port number in the following example is ((14 * 256)+178) = 3762. We can use netstat to verify this port information.
testbox 1:{/home/p-t/slacker/public _ html } % FTP-d testbox 2
Connect to testbox2.slacksite.com.
Testbox2.slacksite.com FTP server is ready.
Name (test box 2: slacker): slacker
-& gt; User slacker
Lazy people need 33 1 password.
Password: TmpPass
-& gt; Beyond XXXX
230 user lazy login.
-& gt; way
2 15 UNIX type: L8
The remote system type is UNIX.
Use binary mode to transfer files.
Ftp> Limit Switch
Ftp: setsockopt (ignore): Permission denied.
-& gt; Ports 192, 168,150,80, 14, 178.
The 200 port command succeeded.
-& gt; catalogue
150 Open the data connection in ASCII mode for the file list.
Drwx-3 slacker user104072701:45public _ html
226 transmission completed.
Ftp> give up
-& gt; give up
22 1 goodbye.