An FTP session involves 2 separate connections - a control connection and a data connection. The control connection is the initial connection that a client makes to an FTP server. The control connection is used by the client and server to exchange commands for operations like authenticating a user, requesting a directory listing, or starting a file transfer.
Whenever a client requests a directory listing or decides to upload or download a file from the server a new connection is established between the client and server to transfer files and directory listings. The data connection is closed immediately after the file transfer or directory listing is completed and a new data connection needs to be established each time another file or directory listing is required.
This new data connection is established in one of two ways- in active or passive mode, and it is the client that instructs the server which mode it would like to use. The mode determines whether the client establishes the data connection by connecting to the server or whether the server should connect back to the client. This has practical implication on firewalls and security as discussed below:
Active FTP
Active FTP use to be the traditional default used by FTP client programs. Active FTP uses a "reverse data channel" that can cause problems when operating behind some older firewalls and NAT routers, though some modern products have become "FTP aware". By comparison, passive FTP (see next section) has become the favored method of establishing a data connection as it is more firewall and NAT router friendly.
FTP sessions are initiated by an FTP client's connection to port 21 of an FTP server. This establishes the command channel that FTP clients use to issue commands to the server. In active FTP, an FTP client next opens a listening port on its machine, informs the remote FTP server of this port number, and requests the remote FTP server to connect from its port 20 back to the client on the port it has specified. This establishes the "reverse data channel" for transporting file data and directory listings.
Since many firewalls and NAT routers automatically block incoming connections to their protected client machines, the need to establish this second "reverse data channel" can cause problems. Although passive FTP was created to overcome these problems, some modern firewalls and NAT routers have become "FTP aware". They monitor the outgoing control channel, interpret the client's request to the remote server, and open an incoming port back through the router to the client machine. This allows some active FTP clients to operate behind FTP aware firewalls and NAT routers without problems.
Passive FTP
Passive FTP protocol was created to overcome the firewall and router problems associated with active FTP's need to establish a reverse data channel back from the server to the client. Passive FTP operates just like active FTP except that both the initial control channel (to the server's default port 21) and the data channel (to a port specified by the server in response to a client PASV command) are initiated by the client and received and accepted by the server. Because passive FTP does not use a "reverse data channel" approach, it is often more friendly to firewalls and NAT routers.
To configure for passive FTP (the preferred method), see "My IP address begins with 192.168.xxx.xxx. Is there anything special I have to do for people to see my FTP Server on the Internet?"
Comments
0 comments
Please sign in to leave a comment.