免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 1968 | 回复: 1
打印 上一主题 下一主题

[FTP] 如果FTP遇到防火墙,你该怎么办? [复制链接]

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2008-07-16 10:59 |只看该作者 |倒序浏览
最近看坛子里面有人在讨论一些ftp遇到防火墙时怎么处理的问题。发现很多人都建议使用passive模式,或者打开21、20端口,但是并没有给出理由。

查了一些文档,请看:           

Unlike most protocols used on the Internet, FTP requires multiple network ports to work properly. When an FTP client application initiates a connection to an FTP server, it opens port 21 on the server — known as the command port. This port is used to issue all commands to the server. Any data requested from the server is returned to the client via a data port. The port number for data connections and the way in which data connections are initialized vary depending upon whether the client requests the data in active or passive mode.

The following are descriptions of these two modes:

active mode

    Active mode is the original method used by the FTP protocol for transferring data to the client application. When an active mode data transfer is initiated by the FTP client, the server opens a connection from port 20 on the server to the IP address and a random, unprivileged port (greater than 1024) specified by the client. This arrangement means that the client machine must be allowed to accept connections over any port above 1024. With the growth of insecure networks, such as the Internet, the use of firewalls to protect client machines is now prevalent. Because these client-side firewalls often deny incoming connections from active mode FTP servers, passive mode was devised.


passive mode

    Passive mode, like active mode, is initiated by the FTP client application. When requesting data from the server, the FTP client indicates it wants to access the data in passive mode and the server provides the IP address and a random, unprivileged port (greater than 1024) on the server. The client then connects to that port on the server to download the requested information.

  所以,当FTP遇到防火墙时,并不是passive模式或者是active模式就一定可以。具体问题具体分析。

[ 本帖最后由 dotone 于 2008-7-16 11:03 编辑 ]

论坛徽章:
0
2 [报告]
发表于 2008-07-16 12:32 |只看该作者
原帖由 dotone 於 2008-7-16 10:59 發表
最近看罈子裡面有人在討論一些ftp遇到防火牆時怎麼處理的問題。發現很多人都建議使用passive模式,或者打開21、20端口,但是並沒有給出理由。

查了一些文檔,請看:           

Unlike most protocols u ...


這個已經是老生常談的問題了。

另外 linux 的 iptables firewall 早就有一些 ftp conntrack module 可以處理,所以根本不需要使用 passive 然後特別開 data channel 用的 port 範圍。

--
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP