Make your FTP Server support Active and Passive

Published:

Introduction


People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This article is going to discuss the main complication we have with FTP - and that is being able to support both Active and Passive FTP.

Active and Passive explained


FTP works by creating a connection to a server.  This is a TCP connection, and it's usually on port 21, although this can change.  This connection is known as the CONTROL channel - it is the one which will send commands and receive replies.  When an instruction is sent to either retrieve a directory listing, or a file, or to send a file, a transfer session is negotiated and established - and this transfer is done in either Active or Passive mode.

Active

In active mode, the client - which is always the requestor, will send a PORT command to the server.  An example of a PORT command is as follows:

PORT 10,110,141,126,250,78

Open in new window


The client is telling the server that it's listening on IP address 10.110.141.126, and on port 64078.  You can calculate the port by using the last two integers, 250 and 78 and performing the following equation - 250 * 256 + 78.  The 256 will never change.

The server will then try to connect to the client at the IP address specified, and the port specified, and if successful, a data connection will be established, and the server will send the required data (or receive data) before closing the connection.

The conversation will go something like this:

FTP Active Conversation
Passive

In passive mode, the client sends a simple command to the server - and this is just plainly "PASV".  The server will then respond with something like this:

227 Entering Passive Mode (10,110,176,125,249,52)

Open in new window


The server is now telling the client to establish the data connection by connecting to the server's IP of 10.110.176.125 and port 63796.  The client will establish a TCP connection to the server at the address specified, and then receive data (or send data)

The conversation will go something like this:

 FTP Passive Conversation
When a client connects to a server (passive) or the server connects to the client (active) to establish a data transfer - this is known as the DATA channel.

What's the problem?


in my above demonstration, both the client and server were on a perfectly routed internal network.  The issues start occurring when you have to go through a firewall, or if you're having to use Network Address Translation.  Most homes and businesses use a Router that has built in NAT facilities, so when you connect to an Internet address, your internal, non-routable IP addresses are being translated at your NAT Router, and then re-forwarded out.

SOME Routers are clever enough to KNOW that there's an FTP session in progress, and they automatically change some of your commands to compensate for the fact that your IP address is being translated.  Unfortunately, this does not work when you're using SSL Encryption - because your router can no longer decipher the conversation.

Passive mode FTP was developed for clients who would be using NAT technology, So that Instead of Servers connecting to the Clients (active mode), the Clients can connect to the Servers instead.   Every NAT router will support this out of the box.

The problem lies when the Server must also operate inside a NAT or Firewalled environment.  Consider this scenario where you have a client and server both behind translated addresses:

Active Mode:

Client: Please Connect to me at 10.110.141.15
Server: Connection Failed.  I don't know how to reach 10.110.141.15

Passive Mode:

Server: Connect to me at 10.110.176.12
Client: Connection failed.  I cannot reach 10.110.176.12

The Solution


The solution is really simple - Make your server co-operate with the NAT and/or Firewall.

Firewall Only

These instructions are for people who's servers are listening on public IP addresses, but they have a border firewall protecting them from attacks.

Supporting Active FTP:

Open a port outbound source IP - the FTP server, source port 20  - destination ip any - destination port any, protocol is TCP.  This rule covers the DATA channel.
Open an inbound port source IP any, source port - any, destination IP - your FTP server - destination port - port 21, protocol TCP.  This rule covers the CONTROL channel.

Supporting Passive FTP:

In addition to the Active FTP Rules, make the following configuration changes.

Select a suitable range of port numbers - depending on how busy your FTP server is, this can be as little as 10 port numbers or as many as 10,000
Configure your FTP Server to use this port range for it's Port Range
Add a firewall rule to allow source port - any, source ip - any, destination port - this range, destination IP - the FTP Server, protocol is TCP

You're all done! Your FTP Server will now function with clients which request an active or passive connection methodology.

NAT

These instructions are for people who's servers are listening on private IP addresses (10.x.x.x, 172.16.x.x-172.32.x.x or 192.168.x.x, and rely on a NAT router to share their public IP.

Supporting Active FTP:

On your NAT router, create a port forwarding rule to forward port TCP port 21 to the internal IP Address of your FTP Server - same port

Supporting Passive FTP:

In addition to the Active Port Forwarding, make the following configuration changes.

Select a suitable range of port numbers - depending on how busy your FTP server is, this can be as little as 10 port numbers or as many as 10,000
Configure your FTP Server to use this port range for it's Port Range
Configure your FTP Server so that it knows what to use as your IP address when doing passive mode.  A Passive Mode needs to have the IP address of your Internet IP, not your internal IP.  See sample below.
Create a port forwarding rule to forward the range of ports you've selected to the internal IP Address of your FTP Server, protocol is TCP.

Unfortunately some Cheaper NAT Routers like home ADSL ones may not allow you to forward a port range.  In this case you have to create a single port forwarding rule for Each passive port you've chosen.  For example, if you've chosen port range 10000 to 10010, then you have to create 12 rules in total - one for port 21, and the other 11 for ports 10000 to 10010.

Sample Configuration


Here is a working working configuration I use for my home FTP Server:

Port forwarding Rules

FTP Port Forwwarding Rules
FTP Server Configuration

FTP Listening Port FTP Passive Mode Settings
For the really observant, they would notice I'm using the non standard port of 2121 for clients to connect to!

Conclusion


I hope that this tutorial has helped you resolve your FTP Server woes, and help you better understand how the FTP Protocol operates.
1
3,580 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.