主动FTP vs. 被动FTP 权威解释

目录

  • 开场白
  • 基础
  • 主动FTP
  • 主动FTP的例子
  • 被动FTP
  • 被动FTP的例子
  • 总结
  • 参考资料
  • 附录 1: 配置常见FTP服务器

开场白

处理防火墙和其他网络连接问题时最常见的一个难题是主动FTP与被动FTP的区别以及如何完美地支持它们。幸运地是,本文能够帮助你清除在防火墙环境中如何支持FTP这个问题上的一些混乱。

本文也许不像题目声称的那样是一个权威解释,但我已经听到了很多好的反馈意见,也看到了本文在许多地方被引用,知道了很多人都认为它很有用。虽然我一直在找寻改进的方法,但如果你发现某个地方讲的不够清楚,需要更多的解释,请告诉我!最近的修改是增加了主动FTP和被动FTP会话中命令的例子。这些会话的例子应该对更好地理解问题有所帮助。例子中还提供了非常棒的图例来解释FTP会话过程的步骤。现在,正题开始了…

基础

FTP是仅基于TCP的服务,不支持UDP。 与众不同的是FTP使用2个端口,一个数据端口和一个命令端口(也可叫做控制端口)。通常来说这两个端口是21-命令端口和20-数据端口。但当我们发现根据(FTP工作)方式的不同数据端口并不总是20时,混乱产生了。

主动FTP

主动方式的FTP是这样的:客户端从一个任意的非特权端口N(N>;1024)连接到FTP服务器的命令端口,也就是21端口。然后客户端开始监听端口N+1,并发送FTP命令“port N+1”到FTP服务器。接着服务器会从它自己的数据端口(20)连接到客户端指定的数据端口(N+1)。

针对FTP服务器前面的防火墙来说,必须允许以下通讯才能支持主动方式FTP:

  • 任何端口到FTP服务器的21端口 (客户端初始化的连接 S<-C)
  • FTP服务器的21端口到大于1023的端口(服务器响应客户端的控制端口 S->C)
  • FTP服务器的20端口到大于1023的端口(服务器端初始化数据连接到客户端的数据端口 S->C)
  • 大于1023端口到FTP服务器的20端口(客户端发送ACK响应到服务器的数据端口 S<-C)

画出来的话,连接过程大概是下图的样子:

在第1步中,客户端的命令端口与FTP服务器的命令端口建立连接,并发送命令“PORT 1027”。然后在第2步中,FTP服务器给客户端的命令端口返回一个”ACK”。在第3步中,FTP服务器发起一个从它自己的数据端口(20)到客户端先前指定的数据端口(1027)的连接,最后客户端在第4步中给服务器端返回一个”ACK”。

主动方式FTP的主要问题实际上在于客户端。FTP的客户端并没有实际建立一个到服务器数据端口的连接,它只是简单的告诉服务器自己监听的端口号,服务器再回来连接客户端这个指定的端口。对于客户端的防火墙来说,这是从外部系统建立到内部客户端的连接,这是通常会被阻塞的。

主动FTP的例子

下面是一个主动FTP会话的实际例子。当然服务器名、IP地址和用户名都做了改动。在这个例子中,FTP会话从 testbox1.slacksite.com (192.168.150.80),一个运行标准的FTP命令行客户端的Linux工作站,发起到testbox2.slacksite.com (192.168.150.90),一个运行ProFTPd 1.2.2RC2的Linux工作站。debugging(-d)选项用来在FTP客户端显示连接的详细过程。红色的文字是 debugging信息,显示的是发送到服务器的实际FTP命令和所产生的回应信息。服务器的输出信息用黑色字表示,用户的输入信息用粗体字表示。

仔细考虑这个对话过程我们会发现一些有趣的事情。我们可以看到当 PORT 命令被提交时,它指定了客户端(192.168.150.80)上的一个端口而不是服务器的。当我们用被动FTP时我们会看到相反的现象。我们再来关注PORT命令的格式。就象你在下面的例子看到的一样,它是一个由六个被逗号隔开的数字组成的序列。前四个表示IP地址,后两个组成了用于数据连接的端口号。用第五个数乘以256再加上第六个数就得到了实际的端口号。下面例子中端口号就是( (14*256) + 178) = 3762。我们可以用netstat来验证这个端口信息。

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
—> USER slacker
331 Password required for slacker.
Password: TmpPass
—> PASS XXXX
230 User slacker logged in.
—> SYST
215 UNIX Type: L8

Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp: setsockopt (ignored): Permission denied
—> PORT 192,168,150,80,14,178

200 PORT command successful.
—> LIST
150 Opening ASCII mode data connection for file list.
drwx——   3 slacker    users         104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
—> QUIT
221 Goodbye.

被动FTP

为了解决服务器发起到客户的连接的问题,人们开发了一种不同的FTP连接方式。这就是所谓的被动方式,或者叫做PASV,当客户端通知服务器它处于被动模式时才启用。

在被动方式FTP中,命令连接和数据连接都由客户端,这样就可以解决从服务器到客户端的数据端口的入方向连接被防火墙过滤掉的问题。当开启一个FTP连接时,客户端打开两个任意的非特权本地端口(N >; 1024和N+1)。第一个端口连接服务器的21端口,但与主动方式的FTP不同,客户端不会提交PORT命令并允许服务器来回连它的数据端口,而是提交PASV命令。这样做的结果是服务器会开启一个任意的非特权端口(P >; 1024),并发送PORT P命令给客户端。然后客户端发起从本地端口N+1到服务器的端口P的连接用来传送数据。

对于服务器端的防火墙来说,必须允许下面的通讯才能支持被动方式的FTP:

  • 从任何端口到服务器的21端口 (客户端初始化的连接 S<-C)
  • 服务器的21端口到任何大于1023的端口 (服务器响应到客户端的控制端口的连接 S->C)
  • 从任何端口到服务器的大于1023端口 (入;客户端初始化数据连接到服务器指定的任意端口 S<-C)
  • 服务器的大于1023端口到远程的大于1023的端口(出;服务器发送ACK响应和数据到客户端的数据端口 S->C)

画出来的话,被动方式的FTP连接过程大概是下图的样子:

在第1步中,客户端的命令端口与服务器的命令端口建立连接,并发送命令“PASV”。然后在第2步中,服务器返回命令”PORT 2024″,告诉客户端(服务器)用哪个端口侦听数据连接。在第3步中,客户端初始化一个从自己的数据端口到服务器端指定的数据端口的数据连接。最后服务器在第4 步中给客户端的数据端口返回一个”ACK”响应。

被动方式的FTP解决了客户端的许多问题,但同时给服务器端带来了更多的问题。最大的问题是需要允许从任意远程终端到服务器高位端口的连接。幸运的是,许多FTP守护程序,包括流行的WU-FTPD允许管理员指定FTP服务器使用的端口范围。详细内容参看附录1。

第二个问题是客户端有的支持被动模式,有的不支持被动模式,必须考虑如何能支持这些客户端,以及为他们提供解决办法。例如,Solaris提供的FTP命令行工具就不支持被动模式,需要第三方的FTP客户端,比如ncftp。

随着WWW的广泛流行,许多人习惯用web浏览器作为FTP客户端。大多数浏览器只在访问ftp://这样的URL时才支持被动模式。这到底是好还是坏取决于服务器和防火墙的配置。

被动FTP的例子

下面是一个被动FTP会话的实际例子,只是服务器名、IP地址和用户名都做了改动。在这个例子中,FTP会话从 testbox1.slacksite.com (192.168.150.80),一个运行标准的FTP命令行客户端的Linux工作站,发起到testbox2.slacksite.com (192.168.150.90),一个运行ProFTPd 1.2.2RC2的Linux工作站。debugging(-d)选项用来在FTP客户端显示连接的详细过程。红色的文字是 debugging信息,显示的是发送到服务器的实际FTP命令和所产生的回应信息。服务器的输出信息用黑色字表示,用户的输入信息用粗体字表示。

注意此例中的PORT命令与主动FTP例子的不同。这里,我们看到是服务器(192.168.150.90)而不是客户端的一个端口被打开了。可以跟上面的主动FTP例子中的PORT命令格式对比一下。

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
—> USER slacker
331 Password required for slacker.
Password: TmpPass
—> PASS XXXX
230 User slacker logged in.
—> SYST
215 UNIX Type: L8

Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
ftp: setsockopt (ignored): Permission denied
—> PASV
227 Entering Passive Mode (192,168,150,90,195,149).
—> LIST
150 Opening ASCII mode data connection for file list
drwx——   3 slacker    users         104 Jul 27 01:45 public_html
226 Transfer complete.
ftp>; quit
—> QUIT
221 Goodbye.

总结

下面的图表会帮助管理员们记住每种FTP方式是怎样工作的:

主动FTP:
命令连接:客户端 >1023端口 -> 服务器 21端口
数据连接:客户端 >1023端口 <- 服务器 20端口

被动FTP:
命令连接:客户端 >1023端口 -> 服务器 21端口
数据连接:客户端 >1023端口 -> 服务器 >1023端口

下面是主动与被动FTP优缺点的简要总结:

主动FTP对FTP服务器的管理有利,但对客户端的管理不利。因为FTP服务器企图与客户端的高位随机端口建立连接,而这个端口很有可能被客户端的防火墙阻塞掉。被动FTP对FTP客户端的管理有利,但对服务器端的管理不利。因为客户端要与服务器端建立两个连接,其中一个连到一个高位随机端口,而这个端口很有可能被服务器端的防火墙阻塞掉。

幸运的是,有折衷的办法。既然FTP服务器的管理员需要他们的服务器有最多的客户连接,那么必须得支持被动FTP。我们可以通过为FTP服务器指定一个有限的端口范围来减小服务器高位端口的暴露。这样,不在这个范围的任何端口会被服务器的防火墙阻塞。虽然这没有消除所有针对服务器的危险,但它大大减少了危险。详细信息参看附录1。

参考资料

O’Reilly出版的《组建Internet防火墙》(第二版,Brent Chapman,Elizabeth Zwicky著)是一本很不错的参考资料。里面讲述了各种Internet协议如何工作,以及有关防火墙的例子。

最权威的FTP参考资料是RFC 959,它是FTP协议的官方规范。

Active FTP vs. Passive FTP, a Definitive Explanation

Contents:

One of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the difference between active and passive FTP and how best to support either or both of them. Hopefully the following text will help to clear up some of the confusion over how to support FTP in a firewalled environment.

This may not be the definitive explanation, as the title claims, however, I’ve heard enough good feedback and seen this document linked in enough places to know that quite a few people have found it to be useful. I am always looking for ways to improve things though, and if you find something that is not quite clear or needs more explanation, please let me know! Recent additions to this document include the examples of both active and passive command line FTP sessions. These session examples should help make things a bit clearer. They also provide a nice picture into what goes on behind the scenes during an FTP session. Now, on to the information…

FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a ‘data’ port and a ‘command’ port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server’s command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client’s specified data port from its local data port, which is port 20.

From the server-side firewall’s standpoint, to support active mode FTP the following communication channels need to be opened:

  • FTP server’s port 21 from anywhere (Client initiates connection)
  • FTP server’s port 21 to ports > 1023 (Server responds to client’s control port)
  • FTP server’s port 20 to ports > 1023 (Server initiates data connection to client’s data port)
  • FTP server’s port 20 from ports > 1023 (Client sends ACKs to server’s data port)

When drawn out, the connection appears as follows:

In step 1, the client’s command port contacts the server’s command port and sends the command PORT 1027. The server then sends an ACK back to the client’s command port in step 2. In step 3 the server initiates a connection on its local data port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4.

The main problem with active mode FTP actually falls on the client side. The FTP client doesn’t make the actual connection to the data port of the server–it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client–something that is usually blocked.

Below is an actual example of an active FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.

There are a few interesting things to consider about this dialog. Notice that when the PORT command is issued, it specifies a port on the client (192.168.150.80) system, rather than the server. We will see the opposite behavior when we use passive FTP. While we are on the subject, a quick note about the format of the PORT command. As you can see in the example below it is formatted as a series of six numbers separated by commas. The first four octets are the IP address while the last two octets comprise the port that will be used for the data connection. To find the actual port multiply the fifth octet by 256 and then add the sixth octet to the total. Thus in the example below the port number is ( (14*256) + 178), or 3762. A quick check with netstat should confirm this information.

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
---> USER slacker
331 Password required for slacker.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PORT 192,168,150,80,14,178
200 PORT command successful.
---> LIST
150 Opening ASCII mode data connection for file list.
drwx------   3 slacker    users         104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall’s standpoint, to support passive mode FTP the following communication channels need to be opened:

  • FTP server’s port 21 from anywhere (Client initiates connection)
  • FTP server’s port 21 to ports > 1023 (Server responds to client’s control port)
  • FTP server’s ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
  • FTP server’s ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client’s data port)

When drawn, a passive mode FTP connection looks like this:

In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3 the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client’s data port.

While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. See Appendix 1 for more information.

The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.

With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.

Below is an actual example of a passive FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.

Notice the difference in the PORT command in this example as opposed to the active FTP example. Here, we see a port being opened on the server (192.168.150.90) system, rather than the client. See the discussion about the format of the PORT command above, in the Active FTP Example section.

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
---> USER slacker
331 Password required for slacker.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (192,168,150,90,195,149).
---> LIST
150 Opening ASCII mode data connection for file list
drwx------   3 slacker    users         104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.

A reader, Maarten Sjouw, pointed out that active FTP will not function when used in conjunction with a client-side NAT (Network Address Translation) device which is not smart enough to alter the IP address info in FTP packets.

The following chart should help admins remember how each FTP mode works:

 Active FTP :
     command : client >1023 -> server 21
     data    : client >1023 <- server 20

 Passive FTP :
     command : client >1023 -> server 21
     data    : client >1023 -> server >1023

A quick summary of the pros and cons of active vs. passive FTP is also in order:

Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn’t eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.

An excellent reference on how various internet protocols work and the issues involved in firewalling them can be found in the O’Reilly and Associates book, Building Internet Firewalls, 2nd Ed, by Brent Chapman and Elizabeth Zwicky.

Finally, the definitive reference on FTP would be RFC 959, which sets forth the official specifications of the FTP protocol. RFCs can be downloaded from numerous locations, including http://www.faqs.org/rfcs/rfc959.html.

0 Comments
Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.