Active and passive FTP modes. Active mode

» Operating modes of ftp servers

FTP requires 2 connections - the first for commands and the second for data. The first connection (with data) always goes from the client to the server, but the direction of the second differs for active and passive modes.

In the case of active FTP, the second connection goes from the server to the client computer, but since such a connection became impossible due to NATs and Firewalls, a passive mode was invented, in which the server tells the client (through the first connection) which port to open on a second connection (usually the port is chosen randomly by the server in some range) and the second connection is also opened from the client computer to the server.

One important point is that most FTP servers (at least on Windows) do not allow you to limit the range of ports for the second connection, which complicates the configuration of Firewalls and makes normal protection impossible for many of them. For example, Serv-U- one of the few that allows you to limit this range.

From TMeter's FAQ

The FTP protocol involves two different connections between the client and the FTP server. The first connection is called the “control connection”. It is intended for the client to “log in” to the FTP server, move between directories in the FTP server, etc. In order to get a list of files from the server, download a file from the server, or upload a file to the server, a second connection is used, called a “data connection”.

The control connection is the same for Active and Passive mode. The client initiates a TCP connection from the dynamic port (1024-65535) to port number 21 on the FTP server and says “Hello! I want to connect to you. Here is my name and my password." Further actions depend on which FTP mode (Active or Passive) is selected.

IN active mode when the client says “Hello!” it also tells the server a port number (from a dynamic range of 1024-65535) so that the server can connect to the client to establish a data connection. The FTP server connects to the specified client port number using TCP port number 20 for data transfer.

IN passive mode, after the client says “Hello!”, the server tells the client the TCP port number (from the dynamic range 1024-65535) to which it can connect to establish a data connection.

The main difference between active FTP mode and passive FTP mode is the side that opens the data connection. In Active mode, the client must accept a connection from the FTP server. In Passive mode, the client always initiates the connection.

Example of an active connection:

Control Connection: Client port 1026 >< Server port 20

Passive connection example:

Control Connection: Client port 1026 > Server port 21 Data Connection: Client port 1027< Server port 2065

What is active mode and what is it for?
Active and Passive modes are two different types of connections that determine how you will connect to other users and the order in which you receive files.

Passive mode is the easiest to use and should work in almost any conditions. But simplicity comes at a price. Passive mode has connection limitations (passive users cannot connect to other passive users) and also causes additional load on the hub, since all passive mode connections go through the hub. This mode should only be used when the active mode cannot be used.

Comparison

The following table shows the differences between the two connection modes

Setting the active mode

Below are descriptions of how to configure active mode depending on the network topology.

Topology A

A computer directly connected to the Internet via a “modem” (analog, ISDN, DSL, etc.), with a dynamic or static IP.

In this case, no additional settings are required other than enabling the Active mode option in the settings. DC++ will automatically detect your IP address and use any free port.

If you are using a firewall, select a specific port in DC++. In your firewall settings, allow DC++ connections on the specified port.

Topology B

A computer as part of a network connected to the Internet through a router. The computer has a static or dynamic external IP address. Address translation technologies (for example NAT) are not used.

The active mode is configured similarly to topology A.

Topology C

A computer connected to the Internet through a router or gateway that uses NAT (Network Address Translation) technology. NAT is a technology that allows multiple computers to access a network through a single IP address. In this case, the computer has its own intranet IP (addresses starting with 192.168.*.*, 10.*.*.* or 172..*.*).

Home networks usually use this type of connection.

Setting up active mode requires two steps:

* Configuring port forwarding on the router/gateway.
* Setting the active mode in DC++.

Setting up port forwarding

Unfortunately, the process of setting up forwarding is called differently by different router manufacturers. It may be called: port mapping, virtual servers or other synonyms. It doesn't matter what they are called, they all use the same principle. Its idea is as follows: the router is configured in such a way that a connection to a specific port on the router (the port you choose) is forwarded to a specific machine within the network.

Setting up DC++

In the “Settings - Connection Settings” menu, select the active mode. Enter the external IP address. Enter the port number, this should be the port configured for forwarding in the previous section.

File Transfer Protocol, first standardized in the early 1970s, is an application layer protocol that uses the TCP transport protocol to transfer data. FTP was developed in a time when clients and servers communicated directly with each other, without intermediaries and with a minimum of barriers.

FTP problems in modern networks

On modern networks (NAT, firewall, load balancer), the following features of FTP do not allow it to work properly:

Two separate TCP/IP connections: for data transmission and for command transmission;
The data connection can be established on a random port number;
A data connection can come from either a server to a client or from a client to a server;
The destination address of the data connection (selection of operating mode) is negotiated on the fly between the client and server via the command connection;
The command connection is idle while data is being transferred through the data connection.

Problem 1 is caused by the fact that the routing device or balancer must maintain two connections between the same source and destination.

Problem 2 is caused by the fact that FTP cannot work if incoming ports are strictly limited to only definitely known ones. Those. In normal mode, FTP cannot work only with the 21 incoming ports open that the connection uses to send commands, it also needs a set of open high value ports (49152-65534) to transfer data.

Problem 4 is caused by the fact that when using NAT, it needs to change the contents of connection packets on the fly for transmitting commands so that the internal address of the server is replaced by an external one, and also redirect packets arriving at the external address to the internal address of the server.

Problem 5 is caused by the fact that routing devices can terminate stuck connections to send commands.

Two data transfer modes in FTP

FTP supports two operating modes: active and passive. They differ in the mechanism for establishing a connection for data transfer:

In active mode, the server connects from its 20th port to the specified client port.
In passive mode, the client connects from its random port to a specified server port.

Thus, all modern FTP clients negotiate with the server from whom the data is being transferred and who initiates the connection. The client can specify the use active mode by sending the "PORT" command, which will tell the server to connect to a specific client IP and port and start sending data. Or the client can use passive mode by sending the “PASV” command to the server, which will tell the server that the client is waiting for the server's IP and port to start receiving data.

Since the client initially connects to the server to establish a connection to send commands, it would be logical if the client also established the data connection, i.e. sent the PASV command (while also fixing the problem between FTP and the firewall). However, this is not the case; for some reason the creators of the FTP specification decided that the preferred mode should be PORT, and PASV support on the client side is not even necessary.

FTP supports login and password access, but it is not secure because... they are transmitted in clear text. When using a web browser, you can pass it directly to the URL.

Ftp:// :@:/

Example of sessions using active and passive data transfer modes

An example of active mode, where the client connects anonymously and makes one active data transfer (directory browsing).

Client:	USER anonymous
Server:
Client:	PASS NcFTP@
Server:	230 Logged in anonymously.
Client:	PORT 192,168,1,2,7,138	The client wants the server to connect to port 1930 and IP address 192.168.1.2.
Server:	200 PORT command successful.
Client:	LIST
Server:	150 Opening ASCII mode data connection for /bin/ls.	The server connects from port 21 to port 1930 and IP address 192.168.1.2.
Server:	226 Listing completed.	Data transferred successfully.
Client:	QUIT
Server:	221 Goodbye.

Passive mode example

Client:	USER anonymous
Server:	331 Guest login ok, send your e-mail address as password.
Client:	PASS NcFTP@
Server:	230 Logged in anonymously.
Client:	PASV	The client requests connection information from the server.
Server:	227 Entering Passive Mode (172,16,3,4,204,173)	The server responds to the client that it needs to connect to port 52397 and IP address 172.16.3.4.
Client:	LIST
Server:	150 Data connection accepted from 172.16.3.4:52397; transfer starting.	The client connected to the server on port 52397 and IP address 172.16.3.4.
Server:	226 Listing completed.	Data transferred successfully.
Client:	QUIT
Server:	221 Goodbye.

Private problems:

PORT mode - FTP client behind NAT or firewall

The biggest problem faced by FTP clients using active mode is that the server itself must connect to the client's IP address. If there is a firewall in its path that cuts off all incoming connections, the FTP session will not take place. Another problem is if the client is behind NAT and uses an internal IP address. By communicating its internal address to the server, the client condemns it to the inability to connect.

Solution 1: The FTP client must be configured to use passive mode.

Solution 2: Configure NAT to track FTP connections. When a client uses active mode, the NAT device must rewrite the internal address of the client and replace it with the external address of the device. Then the connection to transfer data from the FTP server, having arrived at the external NAT address of the device, will be forwarded by it to the internal address of the FTP client behind the NAT.

PASV mode - FTP server behind a firewall

When the FTP server is behind a firewall, clients will experience problems using passive mode to connect to the FTP server's ephemeral port. The most common problem is when the firewall behind which the FTP server is located allows only a number of connections to known ports and blocks others.

Solution 1: The administrator can open a group of ports on the firewall through which connections to the FTP server can occur.

Solution 2: If there is firewall support, the administrator can configure the ports to automatically open to establish a passive connection to the FTP server. This setup is similar to what was described for an active client behind NAT. Thus, when the firewall monitors the FTP server's response to a passive client request, it temporarily opens the port specified in the response, and only for the IP from which the passive request originated.

PASV mode - FTP server behind NAT

In PASV FTP mode, the server responds to the client with its internal IP address and port, which condemns the client to the inability to connect.

Solution 1: Configure NAT to monitor FTP data connections. When the server sends a response in passive mode, the NAT device must rewrite the internal address of the server and replace it with the external address of the device. Then the connection for data transfer from the FTP client, having arrived at the external NAT address of the device, will be forwarded by it to the internal address of the FTP server behind the NAT.

PASV mode - FTP server behind a load balancer

The balancer represents one IP address, the connection to which will be redirected to one of the balanced servers. The balancer presents two problems for FTP. The first occurs due to the fact that several connections are established between the FTP server and the client: one for transmitting commands and one or more for transmitting data. In passive mode, the balancer must redirect the data connection to the same server as the command connection. The second problem is a consequence of the first: when the FTP server responds with a passive response, this response will contain the internal address of the FTP server, and not the external address of the balancer.

Solution 1. Assign each FTP server behind the balancer a legitimate IP address accessible from the outside. In this case, the FTP server will be able to independently serve FTP clients in passive mode, bypassing the balancer.

Solution 2: Configure a balancer to monitor FTP connections for data transfer. When the server sends a response in passive mode, the balancer must rewrite the internal address of the server and replace it with the external address of the balancer. Then the connection for data transfer from the FTP client, having arrived at the external address of the balancer, will be forwarded by it to the internal address of the FTP server behind the balancer.

Solution 3: Configure the FTP server so that its responses in passive mode contain the external address of the balancer, not the server, and hope that the balancer will redirect the connection to the waiting server.

Unsolvable problem - firewalls on both ends

When the client and server are both behind firewalls that restrict all incoming connections except to a group of known ports, problems begin. The client cannot use active mode because the server will not be able to connect to it, and cannot use passive mode, because can't connect to the FTP server.
In this case, you need to change the firewall settings and it is better to do this on the server side.

FTP server on a non-standard port

Some routing devices are capable of processing FTP sessions only if they arrive on the server's standard port. Therefore, if an FTP server is listening on a non-standard port, you need to configure the routing device so that it knows that there is an FTP server behind this port and processes connections correctly.

But even then, a client-side firewall can get in the way. This can happen if the client-side firewall strictly requires that the FTP data connection from the FTP server originate from port 20 (in active mode). If the FTP server is running on port N, then according to the FTP specification, its data connections will originate from port N - 1 and will be blocked by the client's firewall.

Problems caused by firewalls terminating FTP sessions prematurely

This problem most often occurs when transferring a large file. Once the connection parameters have been agreed upon and the transfer has begun, the command connection will begin to idle until the file transfer is complete. If the routing device is not aware of FTP and the file transfer takes longer than the connection activity counter on it, the connection from the routing device's point of view will time out and terminate and incoming packets will be discarded.

The solution to this problem is a device that keeps the connection for transmitting commands in an active state, even though no packets have been transmitted over it for a long time. Another option is to enable the “Keep Alive” function in the TCP/IP protocol stack on the client or server side, which sends an availability check packet at certain intervals, and if the destination side does not respond, closes the connection normally. If the receiving side responds, then the connection from the firewall will be considered active.

Use passive mode whenever possible (this is the default in web browsers)
If the connection to the FTP server was successful, but browsing directories or transferring files ends in a connection failure, most likely the problem is in the connection activity timers on the firewall
Use devices that support FTP features

Abbreviation FTP comes from English F ile T transfer P rotocol (file transfer protocol) is an application layer protocol for exchanging files over the TCP/IP transport protocol between two computers, an FTP client and an FTP server. This is one of the oldest, and yet still actively used protocol.

The FTP protocol is designed to solve the following problems:

access files and directories on remote hosts

ensuring client independence from the file system type of the remote computer

reliable data transmission

use of remote system resources.

The FTP protocol supports two connection channels at once - one for transfer teams and the results of their implementation, the other is for sharing data. With standard settings, the FTP server uses TCP port 21 to organize a channel for sending and receiving commands and TCP port 20 to organize a channel for receiving/transmitting data.

The FTP server waits for connections from FTP clients on TCP port 21 and, after establishing a connection, accepts and processes FTP commands, which are regular text strings. The commands define connection parameters, the type of data transferred, and actions in relation to files and directories. After agreeing on the transmission parameters, one of the exchange participants enters passive mode, waiting for incoming connections for the data exchange channel, and the second establishes a connection to this port and begins transmission. Once the transfer is complete, the data connection is closed, but the control connection remains open, allowing you to continue the FTP session and create a new data transfer session.

The FTP protocol can be used not only to transfer data between a client and a server, but also between two servers. In this case, the FTP client establishes a control connection with both FTP servers, switches one of them to passive mode, and the second to active, creating a data transmission channel between them.

An FTP client is a program that connects to an FTP server and performs the necessary operations to view the contents of the server's directories and receive, transfer, and delete files or folders. Such a program can be a regular browser, operating system components, or specially developed software products, such as a popular download manager. Download Master or multifunctional free FileZilla FTP Client.

The FTP protocol was developed back in the days when the client and server interacted directly, without any intermediate transformations of TCP packets, and in standard mode it assumes the ability to create a TCP connection not only at the initiative of the client, but also at the initiative of the server from TCP port 20 on TCP - client port, the number of which is transmitted during the creation of a data session.

The realities of today are such that such a TCP connection from server to client is in the vast majority of cases impossible, or very difficult to implement due to the fact that in most cases, network address translation technology is used to connect to the Internet NAT(Network Address Translation) when the client does not have a network interface available to create a direct TCP connection from the Internet. A typical diagram of a standard Internet connection looks like this:

Internet connection is made through a special device - Router(router with NAT function) that has at least two network ports - one connected to the provider’s network, having a network interface with a routed IP address (the so-called “white IP”), for example 212.248.22.144, and a port with a network interface for connecting local network devices with a private, non-routable IP address, for example 192.168.1.1 (“gray IP”). When creating connections from local network network devices to external network nodes, IP packets are sent to the router, which performs address and port translation so that the sender's address becomes his white IP address. The translation results are saved and when a response packet is received, a reverse address translation is performed. Thus, the router ensures the forwarding of TCP/IP packets from any local network devices to external networks and the return forwarding of received response packets. But in cases where a packet that is not related to TCP response packets is received at the input of a network interface connected to the provider’s network, the following reaction options are possible for the router software:

The packet is ignored because there is no network service to process it.

The packet is received and processed by the network service of the router itself, if such a service exists and is waiting for an incoming connection ("listening") on the port whose number is indicated in the received packet.

The packet is forwarded to a server on the local network that expects this type of incoming connections in accordance with the port mapping rules specified in the router settings.

Therefore, at present, the main mode of operation using the FTP protocol has become the so-called “passive mode”, in which TCP connections are made only from the client to the TCP port of the server. The active mode is used in cases where it is possible to connect TCP from the server to client ports, for example, when they are on the same local network. The FTP connection mode is selected using special commands:

PASV- the client sends a command to perform data exchange in passive mode. The server will return the address and port to which you need to connect to receive or transmit data. Example of a fragment of an FTP session with passive mode set:

PASSV- command to switch to passive mode transmitted by the FTP client to the FTP server

227 Entering Passive Mode (212,248,22,144,195,89)- FTP server response, where 227 is the response code, a text message about switching to passive mode and in brackets the IP address and port number that will be used to create a data transmission channel. The address and port number are displayed as decimal numbers separated by a comma. The first 4 numbers are the IP address (212.248.22.144), the remaining 2 numbers specify the port number, which is calculated by the formula - the first number is multiplied by 256 and the second number is added to the result, in this example the port number is 195 * 256 +89 = 50017

PORT Client IP address port number- the client sends a command to establish a session in active mode. The IP address and port number are specified in the same format as in the previous example, for example PORT 212.248.22.144,195,89 To organize data transfer, the server itself connects to the client on the specified port.

Installing and configuring FileZilla FTP Server.

You can download the FileZilla Server installation package for your version of the operating system at

The server installation is performed in the standard way, with the exception of the item with the selection of server control panel settings:

This is the main server management tool through which all necessary settings are made. By default, the control panel operates on a loopback interface without password access. If necessary, for example, if remote control of the FTP server is required, these settings can be changed.

Once the installation is complete, an invitation window will open to connect to the server:

After entering the IP address, port number and password (if you specified them during the installation process), the FileZilla Server control panel opens:

At the top of the window there is the main menu and control panel buttons. Below there are two areas - server information messages and statistical information. Overall, FileZilla Servver's FTP control panel is quite simple and easy to use. Main menu items:

File- operating modes of the FTP server control panel. Contains sub-items

- Connect to Server- connect to the server
- Disconnect- disconnect from the server
- Quit- shutdown of the control panel.

Server- FTP server management. Contains subparagraphs:

- Active- start/stop the FTP server. If the checkbox is checked, the FTP server is started, if unchecked, it is stopped.
- Lock- prohibit/allow connections to the server. When the checkbox is checked, new connections to the server are prohibited.

Edit- editing settings. Sub-items:

- Settings- basic server settings.
- Users- FTP server user settings
- Groups- user group settings.

As an example, let's configure the server for the following conditions:

the server is behind NAT, has a private IP address, but must be accessible from the Internet, supports passive mode and uses non-standard TCP ports. The use of non-standard ports reduces the likelihood of hacker attacks, and in addition, some providers use traffic filtering and block standard ports 20 and 21.

users have the ability to download from the server, upload to the server, delete and rename files and folders.

If you use a dynamic IP address, you must ensure that the server is accessible by DNS name.

the server will operate on a workstation in a Windows 7 / Windows 8 OS environment.

In other words, you need to create an FTP server accessible from the Internet for exchanging files between users, of course for free. It is quite clear that in addition to creating the necessary configuration of the FTP server itself, you will need to change some router settings, Windows firewall settings, and solve the problem of a dynamic IP address so that the server is accessible by name, regardless of the change in IP address.

Solving the problem of dynamic IP address.

This problem does not require a solution in cases where, when connecting to the Internet, a static IP address is used, or a dynamic one, but in accordance with the provider’s settings, it is almost always the same. Otherwise, you can use a technology called Dynamic DNS (DDNS) . This technology allows you to update the IP address information on the DNS server almost in real time, and access the router (and services behind it) by the registered name, without paying attention to changes in the dynamic IP.

To implement this technology for free, you will need to register with some dynamic DNS service and install client software to update the DNS record if the corresponding IP address changes. Dynamic DNS support is usually provided by network equipment manufacturers (D-Link, Zyxel, etc.), some hosting and specialized companies, such as the well-known DynDNS. However, after in the second half of 2014, all services that were provided to registered users free of charge for non-commercial use became paid, the most popular solution, perhaps, was the use of dynamic DNS based on the service No-IP.org, which provides free support services for 2 nodes with dynamic IP. To use the service for free, you will need to register and periodically (approximately once a month) visit the site to update information about the dynamic IP nodes used. If you skip updating the node data, the service is suspended, and accordingly, it will become impossible to connect to the node by name. When using the service for a fee, no update is required.

Almost all modern routers (modems) have built-in support for a dynamic DNS client. Its setup is usually very simple - you fill in the fields with the user name and password, as well as the host name received when registering with the DDNS service. Example for Zyxel P660RU2

Using the DDNS client built into the router/modem is preferable to the DNS data update utility running in the OS environment, since it allows you to implement additional capabilities, such as managing the router via the Internet when the computer is turned off and remotely turning on the power supply to computers behind NAT using technology Wake On Lan.

In those cases where it is not possible to use the built-in DDNS client, you will have to make do with application software - a client program for supporting dynamic DNS. Such a program periodically connects to a server that maintains a registered domain name associated with the router through which the Internet connection is made, and calls the IP update procedure when it changes. The server settings are made in such a way that the comparison of the DNS name and the IP address of the Internet connection is completed in a very short time, and the dynamic nature of the address has virtually no effect on the performance of services associated with the DNS name.

The procedure is as follows:

We go to the website No-IP.org. To work with an existing or new account, use the button "Sign In"(top right side of the page).

Create, if it has not yet been created, your account - click "Create Account". The registration form changes periodically, but it is mandatory to enter the desired username, password and your E-mail. An email with a link to confirm registration is sent to the e-mail specified during registration. When registering, select free access - click the button Free Sign Up

after filling out all the required form fields. After successful registration, log into the site and add an entry for your node - click the button

"Add Hosts" In fact, you only need to enter the selected host name, in this case - myhost8.ddns.net . There is no need to change any other parameters. Then you need to download and install special software - Dynamic Update Client (DUC), the link to which is located on the main page of the site. After the installation of DUC is completed, it will launch and an authorization window will open, where you need to enter the username or E-mail and password received when registering on the no-ip.org website. Then press the button Edit Hosta

and check the box next to the previously created host name (myhost8.ddns.net). Now, the selected host name will always correspond to the “white IP address” of your Internet connection. If you are having trouble updating your IP address, check to see if your DUC client's network activity is being blocked by a firewall.

Using non-standard port numbers for an FTP server is not at all necessary if the provider does not use traffic filtering, or you do not care about scanning ports for vulnerabilities and trying to guess passwords. In this article, the use of an FTP server with non-standard TCP ports is presented as one of the possible options.

FileZilla Server settings are made through the "Edit" - "Settings" menu

Window General Settings intended for general FTP server settings.

In the "Listen on this port" field you can specify the port number for incoming TCP connections. By default, this field is set to 21 , and to use a non-standard number you need to specify the selected value, for example - 12321 . Using a non-standard TCP port has some inconvenience, since it requires specifying its value when creating a session:

If the server is planned to be used both with access from the Internet and on the local network, it makes sense to leave the standard value 21, and use a non-standard port number for connections from the Internet, setting up redirection of packets arriving on port 12321 of the router to port 21 of the FTP server in local network. With this setup, there is no need to specify a port number for FTP sessions within the local network.

Other parameters are for tuning performance and session timeouts. They can be left unchanged. The remaining sections of general settings can also be left as default:

Welcome Message- text that is sent to the client upon connection.

IP Binding- on which network interface client connections will be expected. By default - on any, but you can specify a specific one, for example - 192.168.1.3.

IP Filter- setting up filtering rules for client IP addresses. By default, connections are allowed for any IP.

Chapter Passive mode settings serves to configure passive FTP mode and will require changing almost all default parameters.

The port numbers that will be used to transmit data in passive mode must be set manually, since the router will need to be configured to redirect it to the network interface that the server is listening to. Therefore, you need to check the box to enable the "Use custom port range" mode and set the range - for example, from 50000 before 50020 . The number of ports the server listens to determines the limit on the number of simultaneous data transfer sessions.

Subsection IPv4 specific defines the IP address that will be sent by the server in response to the PASV command. In this case, it should not be the server’s own IP 192.168.1.3, but the “white IP” of our Internet connection. Therefore, you need to set the “Use the following IP” mode and instead of the IP address, enter the name received when registering with the dynamic DNS service - In fact, you only need to enter the selected host name, in this case -. As an alternative, you can use the mode for determining the external IP address using the FileZilla project by turning on. "Retrieve external IP Address from:". This option can be selected in cases where it is not possible to use the dynamic DNS tool. If you intend to use an FTP server on your local network, you need to set the mode to "Don"t use external IP for local connections" (do not use an external IP address for connections within the local network)

The rest of the server settings can be left unchanged or, if necessary, performed later: Security settings- Security Settings. By default, connections that can be used to implement DDoS attacks are prohibited

Miscellaneous- settings for buffer sizes and other log parameters and some FTP commands.

Admin Interface settings- server control panel settings. You can specify the network interface, listening port number, IP addresses from which connections to the control panel are allowed, and a password.

Logging- server event log settings. By default, writing to the file is not performed.

Speed Limit- data transfer rate limit settings. By default - no restrictions.

Filetransfer compression- settings for file compression during transfer. The default is no compression.

SSL/TLS settings enabling encryption mode for transmitted data. The default is no encryption.

Autoban- enable automatic blocking of users who guess the password to connect. By default, automatic blocking is disabled.

Setting up port forwarding and firewall

In order for the FTP server to be accessible from the Internet, it is necessary to configure the router so that incoming connections coming to certain TCP ports on the external interface are redirected to the TCP ports listened to by the FTP server on the internal network. For different router models, the settings may differ in terminology, but their meaning is the same - a TCP packet with a specific port number received on the external (WAN) interface is sent to the local network to the desired IP address and port. Example of settings for the D-Link DIR-320NRU router for port forwarding used for passive FTP mode:

Packets received on an interface with a "white IP" and having port numbers in the range 50000-50020 will be redirected to the IP address specified in the "Internal IP" field (in our case - 192.168.1.3). Similarly, a redirection is created for port 50021 if you changed the standard port number, or to port 21 of the FTP server if you left it unchanged.

After applying these settings, the FTP server will be accessible via URL ftp://myhost8.ddns.net:50021 or, for a connection within a local network:

ftp://192.168.1.3- if you did not change the default port number (21) in the FTP server settings.

ftp://192.168.1.3:50021- if a non-standard port number is used.

You can use a computer name instead of an IP address if it can be resolved to an IP address

ftp://comp1

ftp://comp1.mydomain.ru

Diagnosis of problems

If the connection to the FTP server does not occur, then there may be problems with the firewall blocking the connections necessary for the operation of the created FTP server. If you use the built-in Windows firewall, you must add a rule that allows network activity for the "FileZilla FTP server" service. If you are using a third-party firewall or antivirus with traffic filtering, you must create a corresponding rule using the available settings tools to allow network connections. Options are possible when settings are made to allow any network activity of a specific program, or to allow selected addresses and ports that apply to all programs.

The best place to start diagnostics is on the FTP server itself. As a diagnostic tool, you can use a standard telnet client(utility telnet.exe) . All firewalls do not block connections on the loopback interface, and to check that the server settings are correct, you can connect to it by entering the command:

telnet localhost 21- if a standard port number is used.

telnet localhost 50021- if the standard port number has been changed.

When this command is executed, a connection to the FTP server is made via the loopback interface and a server invitation (Welcome Message) should be displayed in the telnet window. If this does not happen, the server may be stopped, there is a port conflict, or port 21 (50021) is not listening. For diagnostics you can use the command netstat:

netstat –nab

The command line options mean:

n- use numeric port numbers and IP addresses

a- display all connections and listening ports

b- display the names of programs involved in creating connections.

Example of displayed command results:

Active connections

Name Local address External address Status
TCP 0.0.0.0:21 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
RpcSs

In a collumn Local address there is a meaning 0.0.0.0:21 , which indicates that the program named FileZilla Server.exe listening (state LISTENING) TCP port number 21 on all network interfaces. If a specific interface and a different port number were specified in the FTP server settings, then this value will contain IP:port, For example - 192.168.1.3:50021

To display the results in page mode, you can use the command:

netstat -nab | more

Or use search results by port number: netstat -nab | find ":21"

If the server is unavailable on a non-loopback interface, but is accessible on a loopback interface, you need to understand the firewall settings.

Setting up users and groups.

Setting up users and groups is done through the menu "Edit" - "Users" ("Groups"). It is not necessary to create groups, but sometimes it is convenient in cases where there are a large number of users and their rights in relation to the FTP server differ. The settings for both groups and users are almost identical:

This example shows the result of adding an FTP server user named user1 having full rights to write, read, delete and merge files, as well as to view the contents, delete and create subdirectories in the directory C:\ftp\public

On the page General user properties are added, deleted, and changed.
On the page Shared Folders settings are made that determine the list of file system directories that will be used by the FTP server to provide access to them via the FTP protocol. Each user or group of users can be given their own directory with certain rights in relation to its contents.
On the page Speed limits You can set restrictions on data exchange speed.
On the page IP Filter You can set filtering rules for the user's IP address, indicating the addresses from which connection to the server is prohibited or allowed.

List of basic FTP commands

ABOR - Abort file transfer
CDUP - Change directory to a higher one.
CWD - Change current directory.
DELE - Delete a file (DELE filename).
HELP - Displays a list of commands accepted by the server.
LIST - Returns a list of files in a directory. The list is transmitted via the data connection (port 20).
MDTM - Returns the file modification time.
MKD - Create a directory.
NLST - Returns a list of files in a directory in a shorter format than LIST. The list is transmitted via the data connection (port 20).
NOOP - Empty operation
PASV - Enter passive mode. The server will return the address and port to which you need to connect to collect the data. The transfer will begin when the RETR, LIST, etc. commands are entered.
PORT - Enter active mode. For example PORT 12,34,45,56,78,89. Unlike the passive mode, the server itself connects to the client to transfer data.
PWD - Returns the current server directory.
QUIT - Disconnect
REIN - Reinitialize connection
RETR - Download file. RETR must be preceded by a PASV or PORT command.
RMD - Delete directory
RNFR and RNTO - Rename the file. RNFR - what to rename, RNTO - what to rename.
SIZE - Returns the file size
STOR - Upload a file to the server. STOR must be preceded by a PASV or PORT command.
SYST - Returns the system type (UNIX, WIN,)
TYPE - Set the file transfer type (A - ASCII text, I - binary)
USER - Username to log into the server

Example FTP session

FTP client connects to server with username user1, an empty password and downloads a file named cpu-v. Messages from the FTP server are highlighted in red, messages from the FTP client are highlighted in blue. The exchange of directives and parameters may vary slightly between different versions of the FTP client and FTP server software.

After connecting, the server transmits information about itself to the client:
220-FileZilla Server version 0.9.45 beta
220-written by Tim Kosse ( [email protected])
220 Please visit http://sourceforge.net/projects/filezilla/
The client passes the username:
USER user1
The server asks for a password:
331 Password required for user1
The client passes an empty password:
PASS
The server verifies the user account and reports the start of the session:
230 Logged on
The client requests the type of operating system on the server:
SYST
The server reports that the type Unix, emulated by Filezilla server:
215 UNIX emulated by FileZilla
The client requests a list of parameters supported by the server:
FEAT
The server responds with a list of supported parameters:
211-Features:
MDTM
REST STREAM
SIZE
MLST type*;size*;modify*;
MLSD
UTF8
CLNT
MFMT
211 End
The client requests the current directory of the server:
P.W.D.
The server reports that the current directory is the root directory ("/"):
257 "/" is current directory.
The client reports that it will transfer binary data:
TYPE I
The server confirms the type of data being transferred:
200 Type set to I
The client reports that it will use passive FTP mode:
PASV
The server reports the transition to passive mode and transmits the IP and port for passive FTP mode.
227 Entering Passive Mode (212,248,22,114,195,97)
The client requests to receive a file named cpu-v from the current server directory
RETR cpu-v
The server reports the start of data transfer:
150 Opening data channel for file download from server of "/cpu-v"
Upon completion, the server reports a successful transfer:
226 Successfully transferred "/cpu-v"

In conclusion, I would like to add that the Filezilla project includes not only the development and support of a high-quality free FTP server, but also a popular free FTP client

An article with a brief description of a free FTP client for Linux, Mac OS and Windows. This FTP client supports many application data transfer protocols - FTP, FTP over SSL/TLS (FTPS), SSH File Transfer Protocol (SFTP), HTTP, SOCKS and FTP-Proxy. In other words, Filezilla FTP Client is a universal software for receiving and transferring files over all modern application protocols between nodes on various platforms.

24.06.2018

The FTP protocol is designed to solve the following problems:

access files and directories on remote hosts

ensuring client independence from the file system type of the remote computer

reliable data transmission

use of remote system resources.

Can operate in active or passive mode, which determines how the data connection is established. Therefore, there is usually no problem when opening a control connection. In active mode, the client starts listening on a random port for incoming data connections from the server.

For this reason, passive mode was introduced and is mainly used today. Using passive mode is preferable because most complex configuration is performed only once on the server side, by an experienced administrator, rather than individually on the client side, by inexperienced users.

These example sessions should help make things a little clearer. Traditionally this is port 21 for the command port and port 20 for the data port. However, confusion begins when we discover that, depending on the mode, the data port is not always on the port.

The server will then connect to the client's specified data port from its local data port, which is port. In step 3, the server initiates a connection on its local data port to the data port specified by the client earlier. From a client-side firewall, it looks like the external system is initiating a connection to the internal client - something that would normally be blocked.

Normal server output is shown in black, while user input is shown in bold. There are a few interesting things about this dialog box. As you can see in the example below, it is formatted as a series of six numbers separated by commas. To find the actual port, multiply the fifth octet by 256 and then add the sixth octet to the total.

In step 3, the client then initiates a data connection from its data port to the specified server data port. The biggest problem is the need to allow any remote connection to the high number of ports on the server. Appendix 1 for more information. The second issue is supporting and troubleshooting clients that support passive mode.

This can be good or bad depending on what the servers and firewalls are configured to do. Here we see that the port is opened on the server system and not on the client. The client will make both connections to the server, but one of them will have a random high port that will almost certainly be blocked by the server-side firewall.

Network configuration for passive mode

Fortunately, there is some kind of compromise. So anything other than this range of ports can be a server-side firewall. While this does not eliminate the risk to the server, it significantly reduces it. In Appendix 1. In passive mode, most of the configuration load is on the server side. The server administrator must configure the server as described below.

Network configuration for active mode

In active mode, most of the configuration load is on the client side. So that the server can properly connect to the client to open the data connection. Using these two communication connections, two different modes of operation determine in which direction the connections are established: active mode and passive mode.

A typical firewall running on the client sees this link connection request from the server as unsolicited and drops the packets, causing the file transfer to fail. By default, the server uses an available port in the ephemeral range.

The packet is ignored because there is no network service to process it.

The packet is forwarded to a server on the local network that expects this type of incoming connections in accordance with the port mapping rules specified in the router settings.

Installing and configuring FileZilla FTP Server

Open an administrator command prompt. This document explains how to use active or passive mode to connect to a File Transfer Protocol server. During a typical active mode session, the command port uses port 21 and the data port uses port 21. However, when you use passive mode, the data port is not always using the port.

Network address translation configurations block this connection request. You may also need to open a passive range of ports on your firewall. Save the changes to the configuration file. . Run the following commands to allow connections through the passive port range of your server's firewall.

For these changes to be permanent, you must. To make these changes permanent, you must add passive ports to the configuration file. System updates may overwrite these configuration changes. . These problems may resemble a firewall or other connection problem, even if a firewall does not exist.

Two data transfer modes in FTP

To resolve these issues, follow these steps: This blog will answer your question without leaving any doubt. Active mode is the default mode, which used to be the only one. It works when the user connects from any random port to transfer a file. This file transfer connects the client to port 21 on the server. The server connects from port 20 to the client port, which is dedicated to the data channel.

PASSV- command to switch to passive mode transmitted by the FTP client to the FTP server

FTP problems in modern networks

Now, once the connection is established, file transfers are established through these client and server ports. Now let's take a look in passive mode. This command works as a request to connect a port number. As soon as the client receives the port, a second connection is immediately started and data is sent. This procedure works in tandem with a firewall that is configured to use port forwarding for added security. The data will then be forwarded from the firewall port to the server port.

This forces the client outside of accessing the server directly. This will help open a data connection back to the client. The client will then create a data connection to the server. This is advice that clients should not rely on default values because these values are unsafe.

Active and passive FTP mode

When the other side connects to the signal side, data transmission will take place. Once the data transfer is complete, the party that initiated the data transfer will close the data connection, signaling the end of the file. You must enable a passive port range in the server firewall.

Installing and configuring FileZilla FTP Server.

You can download the FileZilla Server installation package for your version of the operating system at

I hope all your queries need to be answered. If you have more questions related to this, please let us know. A data connection is established from an ephemeral port on the server host to an ephemeral port on the client host. In passive mode, both control and data connections are established outgoing through the firewall to the Internet. Control connection Data connection. . Active mode is the default, but the user can usually switch to passive mode.

Enhanced Passive Mode Enhanced Passive Mode is very similar to Passive Mode. The support you use depends on your network topology. The firewall administrator needs to add static filter rules for the passive data range. In this case, you should use the advanced passive mode. . These modes are called standard and passive.

The server installation is performed in the standard way, with the exception of the item where you select settings for the server control panel:

Firewall configurations that provide full access to all ephemeral ports for unsolicited connections may be considered unsecured. Using a macro is the preferred way to generate the rules described above. Here are some examples.

Solving the problem of dynamic IP address

The server runs behind a masquerading gateway. When such cases occur, you will see a console message like this. My solution is to add the following rule. If you are having problems with your firewall, please read this section carefully.

Once the installation is complete, an invitation window will open to connect to the server:

After entering the IP address, port number and password (if you specified them during the installation process), the FileZilla Server control panel opens:

Once the connection is established, the client will authenticate to the server, and then that connection will be one client and the server will "chat" with each other. This connection will not be used to transfer files, and for each file a new connection will be established to transfer the file data. There are two ways to open these new data channels: active and passive.

The server will then connect to this client data port using its own local data port, which is the port. File Transfer Protocol is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to transfer files securely between computers on a network without requiring the user to log directly into the remote host or have knowledge of how to use the remote system. It allows users to access files on remote systems using a standard set of simple commands.

File- operating modes of the FTP server control panel. Contains sub-items

- Connect to Server- connect to the server
- Disconnect- disconnect from the server
- Quit- shutdown of the control panel.

Server- FTP server management. Contains subparagraphs:

Multiple ports, multiple modes

This port is used to issue all commands to the server. Any data requested from the server is returned to the client through the data port. The port number for data connections and how data connections are initialized differ depending on whether the client is requesting data in active or passive mode.

The following modes are listed below. This convention means that the client computer must be allowed to accept connections on any port. With the rise of insecure networks such as the Internet, the use of firewalls to protect client machines is now common.

Edit- editing settings. Sub-items:

- Settings- basic server settings.
- Users- FTP server user settings
- Groups- user group settings.

As an example, let's configure the server for the following conditions:

users have the ability to download from the server, upload to the server, delete and rename files and folders.

in case of using a dynamic IP address, it is necessary to ensure the availability of the server by DNS name.

the server will operate on a workstation in a Windows 7 / Windows 8 OS environment.

Solving the problem of dynamic IP address.

The client then connects to this port on the server to download the requested information. While passive mode eliminates client-side firewall communication issues when connecting to data, it can make server-side firewall administration more difficult. This also simplifies the process of configuring firewall rules for the server. Section 8 “Network Settings”. Depending on certain network configurations, this mode must be active or passive.

As their names suggest, the command channel is used to transmit commands as well as responses to those commands, whereas the data channel is used to transmit data. On the other hand, the port you will use for the data link may differ depending on the selected data transfer mode. If you select active mode, the data channel will usually be a port. But if you select passive mode, the port that will be used will be a random port.

And in fact, everything is simple when you have knowledge of what is happening... for people with a desire to understand - read the “theory” section below, for the rest, “guide” in pictures for setting up, using an example Zyxel Keenetic II Giga(firmware V2) and G6FTP Server on one of the computers on the home network.

When working using the FTP protocol, two connections are established between the client and the server - a control connection (commands are sent through it) and a data connection (files are transferred through it). The control connection is the same for Active and Passive mode. The client initiates a TCP connection from the dynamic port (1024-65535) to port number 21 on the FTP server and says “Hello! I want to connect to you. Here is my name and my password." Further actions depend on which FTP mode (Active or Passive) is selected.
Active mode. When a client says “Hello!” it also tells the server a port number (from a dynamic range of 1024-65535) so that the server can connect to the client to establish a data connection. The FTP server connects to the specified client port number, using TCP port number 20 for data transfer. For the client, such a connection is incoming. So, working in active mode with clients located behind a firewall or NAT is often difficult or requires additional settings.
Passive mode. In Passive mode, after the client says “Hello!”, the server tells the client its IP address and TCP port number (from the dynamic range 1024-65535) to which it can connect to establish a data connection. In what follows we will call them passive ports. In this case, as is easy to see, the ports in such a connection, both on the client side and on the server side, turn out to be arbitrary. In passive mode, the client can easily work with the server through its firewall, but often in order for the server to support passive mode, the firewall must be configured accordingly on the server side.

The main difference between Active FTP mode and Passive FTP mode is the side that opens the connection for data transfer. In Active mode, the client must be able to accept this connection from the FTP server. In Passive mode, the client always initiates this connection itself, and the server must accept it.

Passive FTP mode is designed to connect clients located behind the Firewall. In home networks, this mode of operation should be the main mode of the FTP server if you want users to have no problems with access.

Now practice in pictures.

First, we bind the computer to the IP, in my case it is 10.0.0.100

then configure standard ftp ports

and add ports for working in passive mode