THE MECHANICS OF FTP
The act of transferring a file from one computer to another may seem trivial, but in real-
ity, it is not—at least, not if you’re doing it right. In this section, we step through the
details of the FTP client/server interaction. While this information isn’t crucial to being
able to get an FTP server up and running, it is important when you need to consider
security issues as well as troubleshooting issues—especially troubleshooting issues that
don’t clearly manifest themselves as FTP-related. (“Is the problem with the network, or
is it the FTP server, or is it the FTP client?”)
Client/Server Interactions
The original design of FTP, which was conceived in the early 1970s, assumed something
that was reasonable for a long time on the Internet: Internet users are a friendly bunch.
After the commercialization of the Internet around 1990–1991, the Internet became
much more popular. With the coming of the World Wide Web, the Internet’s user pop-
ulation and popularity increased even more. Along with this came hitherto relatively
unknown security problems. These security problems have made the use of firewalls a
standard on most networks.
The original design of FTP does not play very well with the hostile Internet envi-
ronment that we have today, which necessitates the use of firewalls. Inasmuch as FTP
facilitates the exchange of files between an FTP client and an FTP server, its design has
some built-in nuances that are worthy of further mention.
One of FTP’s nuances stems from the fact that it utilizes two ports: a control port
(port 21) and a data port (port 20). The control port serves as a communication channel
between the client and the server for the exchange of commands and replies, whereas the
data port is used purely for the exchange of data, which may be a file, part of a file, or a
directory listing. FTP can operate in two modes: active FTP mode and passive FTP mode.
Active FTP
Active-mode FTP was traditionally used in the original FTP specifications. In this
mode, the client connects from an ephemeral port (number greater than 1024) to the
FTP server’s command port (port 21). When the client is ready to transfer data, the
server opens a connection from its data port (port 20) to the Internet Protocol (IP)
address and ephemeral port combination provided by the client. The key here is that
the client does not make the actual data connection to the server but instead informs
the server of its own port by issuing the PORT command; the server then connects back
to the specified port. The server can be regarded as the active party (or the agitator) in
this FTP mode.
From the perspective of an FTP client that is behind a firewall, the active-mode FTP
poses a slight problem. The problem is simply that the firewall on the client side might
frown upon (or disallow) connections originating or initiated from the Internet from a
privileged service port (e.g., data port 20) to nonprivileged service ports on the clients it
is supposed to protect.
Passive FTP
The FTP client issues the PASV command to indicate that it wants to access data in the
passive mode, and the server then responds with an IP address and an ephemeral port
number on itself to which the client can connect in order to do the data transfer. The
PASV command issued by the client tells the server to “listen” on a data port that is not
its normal data port (i.e., port 20) and to wait for a connection rather than initiate one.
The key difference here is that it is the client that initiates the connection to the port and
IP address provided by the server. And in this regard, the server may be considered the
passive party in the data communication.
From the perspective of an FTP server that is behind a firewall, passive-mode FTP is a
little problematic, because a firewall’s natural instinct would be to disallow connections
that originate from the Internet that are destined for ephemeral ports of the systems that
it is supposed to protect. A typical symptom of this behavior is when a client appears
to be able to connect to the server without a problem, but the connection seems to hang
whenever an attempt to transfer data occurs.
To address some of the issues pertaining to FTP and firewalls, many firewalls imple-
ment application-level proxies for FTP, which keep track of FTP requests and open up
those high ports when needed to receive data from a remote site
skip to main |
skip to sidebar
Linux Server Administration
Search This Blog
Blog Archive
-
▼
2009
(27)
-
▼
September
(21)
- Pondering a Host of Golden Virtual Server Deals
- Kernel Module writing with examples
- The Secure Shell (SSH)
- POP and IMAP
- The main.cf File
- SMTP
- Apache Web Server
- CUSTOMIZING THE FTP SERVER
- ftp
- The rndc Tool
- Finding and Creating SetUID Programs
- Configuring a Simple Firewall
- Show an Interactive List of Processes: top
- What Are Ports?
- Physical Security
- Need for Security
- Networking Support in Linux
- Linux Server
- mytop
- HOW-TO Setup a PLESK Dedicated Server
- WHM Plugins
-
▼
September
(21)
About Me
- muhammad shehata
- server system administrator
No comments:
Post a Comment