×

Loading...
Ad by
  • 最优利率和cashback可以申请特批,好信用好收入offer更好。请点链接扫码加微信咨询,Scotiabank -- Nick Zhang 6478812600。
Ad by
  • 最优利率和cashback可以申请特批,好信用好收入offer更好。请点链接扫码加微信咨询,Scotiabank -- Nick Zhang 6478812600。

I know it's not going to work. :-) That's why I suggest you use passive ftp whenever possible when you behind a router (firewall).

本文发表在 rolia.net 枫下论坛The main characteristic of most firewalls is that it usually allows outgoing traffic to pass out easily, but makes it hard to allow incoming traffic to pass in.

Active ftp falls into latter category. Whenever you need to retrieve data (eg., doing an ls), first the client tells the server which port it will open by issuing a PORT command, then opens up the port waiting for connections from the server. After the server gets the port information from the client, it initiates a connection to the client using tcp/20 as the source port, and the port specified by the client as the destination port. For each data connection, the client specifies a different port.

Without a firewall, this works OK. But if there's a firewall in between, things get complicated. When the server connects back, the firewall doesn't recognise the connection since it does not belong to any connection initiated from inside. So the firewall simply drops the packet on the ground. Of course you can configure your firewall to forward the connections from the server to the client, but the thing is that for each data connection, the client will use a different port. And again, you can configure your firewall to forward a big range of ports to the client, but that defeats the very purpose of firewall, isn't it?

The best solution for active ftp to work through a firewall is to run some kind of ftp proxy on the firewall to monitor the command channel, and temporarily opens up port to the client when needed.

Another solution is to use passive ftp. When the client needs to retrieve data, it issues a PASV command to the server. When the server sees it, it issues a PORT command to the client (instead of the other way round) and opens up the port waiting for the client to connect. After the client gets the port, it will initiate the connection to the server. Since this is an outgoing connection, the firewall will happily pass it through. Most sane ftp clients support passive ftp, with the notable exception of the command line ftp found in most versions of Windows.

The passive ftp approach works great for the clients behind a firewall, because it needs no modification to the firewall. But it will have problem when there's a firewall in front of an ftp server. Several famous firewall venders used to make mistakes in this regard rendering the firewall nearly useless.

Anyways, ftp is a nasty protocol that creates a lot of headache by violating the protocol independance principle. But since it is so popular, we'll have to work around its evilness.更多精彩文章及讨论,请光临枫下论坛 rolia.net
Report

Replies, comments and Discussions:

  • 工作学习 / IT技术讨论 / dennis2 问个问题, what's the port number for rogers' ftp site data connection, is it random, or using a particular number (if it is, what's it)? thanks
    • For active ftp, the ftp server uses tcp/20 as the source port for data connection. For passive ftp, the ftp server opens up a higher (random) port waiting for connection from the client.
      • thanks, so if I open port 20, that would be fine, let me try tonight.
        • Auh, I don't quite understand what you mean. Open up port 20 ... on where? your router? If so it's not that simple. I think passive ftp might be a better solution.
          • still not working, I'm behind a router which by default not opens all the ports, but when I try to connect to rogers ftp site, the data connection port keeps changing at each attempt, even i set the mode to active, ;-(
            • I know it's not going to work. :-) That's why I suggest you use passive ftp whenever possible when you behind a router (firewall).
              本文发表在 rolia.net 枫下论坛The main characteristic of most firewalls is that it usually allows outgoing traffic to pass out easily, but makes it hard to allow incoming traffic to pass in.

              Active ftp falls into latter category. Whenever you need to retrieve data (eg., doing an ls), first the client tells the server which port it will open by issuing a PORT command, then opens up the port waiting for connections from the server. After the server gets the port information from the client, it initiates a connection to the client using tcp/20 as the source port, and the port specified by the client as the destination port. For each data connection, the client specifies a different port.

              Without a firewall, this works OK. But if there's a firewall in between, things get complicated. When the server connects back, the firewall doesn't recognise the connection since it does not belong to any connection initiated from inside. So the firewall simply drops the packet on the ground. Of course you can configure your firewall to forward the connections from the server to the client, but the thing is that for each data connection, the client will use a different port. And again, you can configure your firewall to forward a big range of ports to the client, but that defeats the very purpose of firewall, isn't it?

              The best solution for active ftp to work through a firewall is to run some kind of ftp proxy on the firewall to monitor the command channel, and temporarily opens up port to the client when needed.

              Another solution is to use passive ftp. When the client needs to retrieve data, it issues a PASV command to the server. When the server sees it, it issues a PORT command to the client (instead of the other way round) and opens up the port waiting for the client to connect. After the client gets the port, it will initiate the connection to the server. Since this is an outgoing connection, the firewall will happily pass it through. Most sane ftp clients support passive ftp, with the notable exception of the command line ftp found in most versions of Windows.

              The passive ftp approach works great for the clients behind a firewall, because it needs no modification to the firewall. But it will have problem when there's a firewall in front of an ftp server. Several famous firewall venders used to make mistakes in this regard rendering the firewall nearly useless.

              Anyways, ftp is a nasty protocol that creates a lot of headache by violating the protocol independance principle. But since it is so popular, we'll have to work around its evilness.更多精彩文章及讨论,请光临枫下论坛 rolia.net
              • thanks a lot, dennis // I could work around it, ftp directly from the router pc works, plus it works fine in my office, definatelly the problem of the router setting, understand more about ftp, ;-)
            • My two cents............
              1. FTP server by default use port 21, but might use other port number as well. So, you should make sure you specify the correct port number when try to connect to the Rogers FTP site you mentioned;

              2. I think you are changing the configuration of your FTP client, what's the error code you got when the connection fail?
              • err: data connection refused. which means my router does not allow the incoming data connection port, since it's random, i could not even enable it. // btw port 21 works fine
                • Is this the error sent by your router or FTP server? Most of the client applications use port number above 1024, randomly. It will be weird you only have problem with FTP. I doubt your FTP client setting too.
        • You should 'permit' port 21 as well, it's use for control connection.
          • thanks, yes, i did, i can connect to the site, failed at data connection