Active mode and passive mode of FTP

1.1 PORT（ Active mode ）

In active mode ,FTP Client randomly opens a greater than 1024 The port of N server-oriented 21 Port number initiates the connection , send out FTP User name and password , Then open N+1 No. 1 port for listening , And to the server PORT N+1 command , Tell the server that the client adopts active mode and opens the port .FTP The server receives PORT After the command , Will use its local FTP Data port （ Usually 20） To connect to the port specified by the client N+1, Data transfer .

1.2 PASV（ Passive mode ）

In passive mode ,FTP Client randomly opens a greater than 1024 The port of N server-oriented 21 Port number initiates the connection , Send user name and password to login , It will be on at the same time N+1 port . Then send it to the server PASV command , Notify the server that it is in passive mode . After the server receives the command , Will open a greater than 1024 The port of P（ port P You can set the range of , I'll talk about this later. It's very important ） monitor , And then use PORT P Command notification client , Your own data port is P. After the client receives the command , Will pass N+1 Port number to connect to the server port P, Then data transfer between the two ports .

1.3 Passive mode packet capture analysis

ftp When connecting the client to the server, do SSL Two-way authentication , So you will see that the client uses 59739 Port to connect ftp Server side 2121 port , The content of the green box should be the port number randomly assigned by the server 40006 Encryption sent to the client , Let the client transfer files , Use 40006 port .

You can find , The port number used by the client to send files to the server is 56740（ be equal to 59739+1）. The new port number used to send the file , So don't go anymore TSL Encryption protocol . because , Login authentication process , As long as the login is successful , It means that the client and server trust each other . Now , Is to allow opening a new port number to transfer files .

Last , There are two lines of black [Tcp Retransmission] Data packets , These are two retransmissions . Because ,ftp The server is installed on the intranet , There is no port configured for the server to transfer files P The scope of the , and , There is no mapping on the firewall 59740 This port goes to the Internet , So it leads to ftp Client side usage 59740 The port transmits packets to ftp The server will fail .Tcp The protocol is retransmitted three times , Fail or fail .

1.4 A comparison of the two models

The difference between active mode and passive mode is simply summarized as ： When active mode transmits data “ The server ” Connect to “ client ” The port of （ The client opens the data port ）; Passive mode transfers data is “ client ” Connect to “ The server ” The port of （ The server opens the data port ）.

Active mode requires that the client must open the port to FTP Server side , Many clients are in the firewall , Open the port to FTP Server access is more difficult .

Passive mode only needs the open port on the server side to connect to the client , If the server is inside the firewall , You also need to do port mapping .

1.5 Passive mode into the pit

In our system FTP Using passive mode , And the service is installed in the small network , Communication with big network , Want to do IP And port mapping . At that time, the manual configuration FTP The port range of data transmission at the server , On the firewall, I just did such a paragraph 30000-30010 Port mapping of . Lead to customer service end （ A device ） When uploading, there is only one successful upload , This is because a port randomly opened by the server happens to be 30000-30010 Within limits . Upload failed at any other time . Grab a bag and see , Only the customer service side is connected to the service side data packet .

therefore ,FTP The service is installed in the small network （ Inside the firewall ）, Using passive mode , And the client is located outside the firewall , To limit FTP The range of data transmission ports from the service , And map out these ports .

1.6 How to choose

If you must use FTP The server , In today's Internet Environment , Use FTP Passive mode connection transmission is OK . If you just want to know the answer , You can see it here . Friends interested in technology and principles , Please read on .

1.6.1 The difference between active mode and passive mode

a. When active mode transmits data “ The server ” Connect to “ client ” The port of ; Passive mode transfers data is “ client ” Connect to “ The server ” The port of .

b. Active mode requires the client to open the port to the server , Many clients are in the firewall , Open the port to FTP Server access is more difficult ; Passive mode only needs the open port on the server side to connect to the client .

It should be noted that , Login process in passive mode and active mode , All are FTP Client to connect FTP The server .

1.6.2 Why are most Internet applications passive ？

Because most clients are behind the router , There is no independent public network IP Address , The server wants to actively connect to the client , Too difficult , In today's real Internet environment, it is almost impossible to complete the task .
stay FTP When the server is deployed , The default is active operation mode . If the enterprise FTP The users of the server are all in the internal network , That is, it doesn't need to be provided by users of the external network FTP The need to connect , Then you can use this default operation method . However, if some employees who are away on business or work at home, they also need to visit the inside of the enterprise FTP The server , At this time, for the sake of security or public network IP Restrictions on the number of addresses , Enterprises tend to put FTP The server is deployed in the firewall or NAT Behind the server , At this time, this active operation mode will not work .

All in all , stay FTP When deploying the server, consider whether to adopt the active operation mode or the passive operation mode , Just remember one principle , That is, if you put FTP The server is deployed in the firewall or NAT Behind the server , The client in active operation mode can only establish command connection and cannot transfer files . If the deployment is complete FTP After the server , The system administrator found that the user can connect to FTP The server , You can view the files in the directory , But you can't download or upload files , If you exclude restrictions on permissions , Then it is likely that this operation mode is selected incorrectly . The system administrator tells the user to choose the appropriate operation mode , Basically, the problem of file transfer can be solved .

Reference resources ：FTP Working principle of active mode and passive mode and packet capture analysis