本文发表在 rolia.net 枫下论坛The main characteristic of most firewalls is that it usually allows outgoing traffic to pass out easily, but makes it hard to allow incoming traffic to pass in.
Active ftp falls into latter category. Whenever you need to retrieve data (eg., doing an ls), first the client tells the server which port it will open by issuing a PORT command, then opens up the port waiting for connections from the server. After the server gets the port information from the client, it initiates a connection to the client using tcp/20 as the source port, and the port specified by the client as the destination port. For each data connection, the client specifies a different port.
Without a firewall, this works OK. But if there's a firewall in between, things get complicated. When the server connects back, the firewall doesn't recognise the connection since it does not belong to any connection initiated from inside. So the firewall simply drops the packet on the ground. Of course you can configure your firewall to forward the connections from the server to the client, but the thing is that for each data connection, the client will use a different port. And again, you can configure your firewall to forward a big range of ports to the client, but that defeats the very purpose of firewall, isn't it?
The best solution for active ftp to work through a firewall is to run some kind of ftp proxy on the firewall to monitor the command channel, and temporarily opens up port to the client when needed.
Another solution is to use passive ftp. When the client needs to retrieve data, it issues a PASV command to the server. When the server sees it, it issues a PORT command to the client (instead of the other way round) and opens up the port waiting for the client to connect. After the client gets the port, it will initiate the connection to the server. Since this is an outgoing connection, the firewall will happily pass it through. Most sane ftp clients support passive ftp, with the notable exception of the command line ftp found in most versions of Windows.
The passive ftp approach works great for the clients behind a firewall, because it needs no modification to the firewall. But it will have problem when there's a firewall in front of an ftp server. Several famous firewall venders used to make mistakes in this regard rendering the firewall nearly useless.
Anyways, ftp is a nasty protocol that creates a lot of headache by violating the protocol independance principle. But since it is so popular, we'll have to work around its evilness.更多精彩文章及讨论,请光临枫下论坛 rolia.net
Active ftp falls into latter category. Whenever you need to retrieve data (eg., doing an ls), first the client tells the server which port it will open by issuing a PORT command, then opens up the port waiting for connections from the server. After the server gets the port information from the client, it initiates a connection to the client using tcp/20 as the source port, and the port specified by the client as the destination port. For each data connection, the client specifies a different port.
Without a firewall, this works OK. But if there's a firewall in between, things get complicated. When the server connects back, the firewall doesn't recognise the connection since it does not belong to any connection initiated from inside. So the firewall simply drops the packet on the ground. Of course you can configure your firewall to forward the connections from the server to the client, but the thing is that for each data connection, the client will use a different port. And again, you can configure your firewall to forward a big range of ports to the client, but that defeats the very purpose of firewall, isn't it?
The best solution for active ftp to work through a firewall is to run some kind of ftp proxy on the firewall to monitor the command channel, and temporarily opens up port to the client when needed.
Another solution is to use passive ftp. When the client needs to retrieve data, it issues a PASV command to the server. When the server sees it, it issues a PORT command to the client (instead of the other way round) and opens up the port waiting for the client to connect. After the client gets the port, it will initiate the connection to the server. Since this is an outgoing connection, the firewall will happily pass it through. Most sane ftp clients support passive ftp, with the notable exception of the command line ftp found in most versions of Windows.
The passive ftp approach works great for the clients behind a firewall, because it needs no modification to the firewall. But it will have problem when there's a firewall in front of an ftp server. Several famous firewall venders used to make mistakes in this regard rendering the firewall nearly useless.
Anyways, ftp is a nasty protocol that creates a lot of headache by violating the protocol independance principle. But since it is so popular, we'll have to work around its evilness.更多精彩文章及讨论,请光临枫下论坛 rolia.net