People like FTP. It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP. In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations. This article is going to discuss the main complication we have with FTP - and that is being able to support both Active and Passive FTP.
Active and Passive explained
FTP works by creating a connection to a server. This is a TCP connection, and it's usually on port 21, although this can change. This connection is known as the CONTROL channel - it is the one which will send commands and receive replies. When an instruction is sent to either retrieve a directory listing, or a file, or to send a file, a transfer session is negotiated and established - and this transfer is done in either Active or Passive mode.
In active mode, the client - which is always the requestor, will send a PORT command to the server. An example of a PORT command is as follows:
The client is telling the server that it's listening on IP address
126, and on port 64078. You can calculate the port by using the last two integers, 250 and 78 and performing the following equation -
250 * 256 +
78. The 256 will never change.
The server will then try to connect to the client at the IP address specified, and the port specified, and if successful, a data connection will be established, and the server will send the required data (or receive data) before closing the connection.
The conversation will go something like this:
In passive mode, the client sends a simple command to the server - and this is just plainly "PASV". The server will then respond with something like this:
The server is now telling the client to establish the data connection by connecting to the server's IP of 10.110.176.125 and port 63796. The client will establish a TCP connection to the server at the address specified, and then receive data (or send data)
The conversation will go something like this:
When a client connects to a server (passive) or the server connects to the client (active) to establish a data transfer - this is known as the DATA channel.
What's the problem?
in my above demonstration, both the client and server were on a perfectly routed internal network. The issues start occurring when you have to go through a firewall, or if you're having to use Network Address Translation. Most homes and businesses use a Router that has built in NAT facilities, so when you connect to an Internet address, your internal, non-routable IP addresses are being translated at your NAT Router, and then re-forwarded out.
SOME Routers are clever enough to KNOW that there's an FTP session in progress, and they automatically change some of your commands to compensate for the fact that your IP address is being translated. Unfortunately, this does not work when you're using SSL Encryption - because your router can no longer decipher the conversation.
Passive mode FTP was developed for clients who would be using NAT technology, So that Instead of Servers connecting to the Clients (active mode), the Clients can connect to the Servers instead. Every NAT router will support this out of the box.
The problem lies when the Server must also operate inside a NAT or Firewalled environment. Consider this scenario where you have a client and server both behind translated addresses:
Client: Please Connect to me at 10.110.141.15
Server: Connection Failed. I don't know how to reach 10.110.141.15
Server: Connect to me at 10.110.176.12
Client: Connection failed. I cannot reach 10.110.176.12
The solution is really simple - Make your server co-operate with the NAT and/or Firewall.
These instructions are for people who's servers are listening on public IP addresses, but they have a border firewall protecting them from attacks.
In addition to the Active Port Forwarding, make the following configuration changes.
Select a suitable range of port numbers - depending on how busy your FTP server is, this can be as little as 10 port numbers or as many as 10,000
Configure your FTP Server to use this port range for it's Port Range
Configure your FTP Server so that it knows what to use as your IP address when doing passive mode. A Passive Mode needs to have the IP address of your Internet IP, not your internal IP. See sample below.
Create a port forwarding rule to forward the range of ports you've selected to the internal IP Address of your FTP Server, protocol is TCP.
Unfortunately some Cheaper NAT Routers like home ADSL ones may not allow you to forward a port range. In this case you have to create a single port forwarding rule for Each passive port you've chosen. For example, if you've chosen port range 10000 to 10010, then you have to create 12 rules in total - one for port 21, and the other 11 for ports 10000 to 10010.
Here is a working working configuration I use for my home FTP Server:
Port forwarding Rules
FTP Server Configuration
For the really observant, they would notice I'm using the non standard port of 2121 for clients to connect to!
I hope that this tutorial has helped you resolve your FTP Server woes, and help you better understand how the FTP Protocol operates.