免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 1270 | 回复: 0

转贴一篇介绍主动与被动FTP的文章(英文/中文) [复制链接]

论坛徽章:
0
发表于 2005-07-09 14:54 |显示全部楼层
介绍主动与被动FTP的文章,真的很不错。是CU的朋友们翻译的。
Active FTP vs. Passive FTP, a Definitive Explanation
Contents:

  • Introduction
  • The Basics
  • Active FTP
  • Active FTP Example
  • Passive FTP
  • Passive FTP Example
  • Summary
  • References
  • Appendix 1: Configuration of Common FTP Servers

Introduction
One of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the difference between active and passive FTP and how best to support either or both of them. Hopefully the following text will help to clear up some of the confusion over how to support FTP in a firewalled environment.
This may not be the definitive explanation, as the title claims, however, I've heard enough good feedback and seen this document linked in enough places to know that quite a few people have found it to be useful. I am always looking for ways to improve things though, and if you find something that is not quite clear or needs more explanation, please let me know! Recent additions to this document include the examples of both active and passive command line FTP sessions. These session examples should help make things a bit clearer. They also provide a nice picture into what goes on behind the scenes during an FTP session. Now, on to the information...
The Basics
基础
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.
ftp是个基于tcp协议特有服务,并没有udp协议的ftp. 与众不同的是ftp使用2个端口,一个数据端口和一个命令端口(也可叫做控制端口)。通常来说21端口是命令端口而20端口则作为数据端口。无论如何混淆发生了,当我们发现根据模式的不同,数据端口并不总是20。
Active FTP
In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.
主动ftp
在主动模式ftp客户端从一个随机的非特权端口N(N>1024)连接到ftp服务器的命令端口,就是21端口。于是客户端开始监听端口N+1同时发送ftp命令“port N+1”到ftp服务器。服务器于是使用本地的数据端口也就是20端口回连到客户端指定的数据端口(也就是N+1)。
注:and sends the FTP command PORT N+1 to the FTP server.
   刚开始不知道怎么翻译,后来查询了port命令,才知道port命令是客户端用来告诉服务器自己将要使用那个端口来作为自己的数据端口。
From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1024 (Server responds to client's control port)
  • FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
  • FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)
从服务器端防火墙的立场来说,必须打开下面的通讯端口才能支持主动模式的ftp:
从任何端口到服务器的21端口的连接 (入;客户端初始化的连接)
服务器的21端口到任何大于1024的端口连接 (出;服务器端响应到客户端的控制端口的连接)
服务器的20端口到任何大于1024的端口连接  (出;服务器端初始化数据连接到客户端的数据连接端口)
从任何大于1024端口到服务器的20端口连接   (入;客户端发送ACks到服务器的数据端口的连接)
When drawn out, the connection appears as follows:


具体说来,连接大概是这样建立的:
In step 1, the client's command port contacts the server's command port and sends the command PORT 1027. The server then sends an ACK back to the client's command port in step 2. In step 3 the server initiates a connection on its local data port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4.
在第1步中,客户端的命令端口与ftp服务器的命令端口建立连接,并发送命令“PORT 1027”。然后在第2步中,ftp服务器给客户端的命令端口返回一个"ACK"。在第3步中,ftp服务器发起一个从自己本地数据端口(20)到客户端先前指定的数据端口的连接,然后客户端在第4步中给服务器端返回一个"ACK".
The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client--something that is usually blocked.
主动模式的FTP中的主要问题实际上在于客户端。FTP的客户端并没有发起一个到服务器数据端口的连接,它只是简单的告诉服务器自己监听的端口号,服务器再回来连接这个指定的端口。对客户端的防火墙来说这是一个从外部系统初始建立的一个指向内部客户的连接,通常这是会被阻塞的。
Active FTP Example
主动FTP的例子
Below is an actual example of an active FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.
下面是一个主动FTP会话的真实的例子。唯一改变的是服务器的名称,IP地址和用户名称。在这个例子中,FTP会话从testbox1.slacksite.com (192.168.150.80)(一个运行标准FTP命令行客户端的linux终端)发起到testbox2.slacksite.com (192.168.150.90)(一个运行ProFTPd 1.2.2RC2的linux终端)。debugging(-d)标记用来在FTP客户端显示连接场景背后进行的操作。红色字体的文字是debugging信息,显示的是发送到服务器的实际FTP命令和所产生的回应信息。标准的服务器输出信息用黑色字体表示,用户的输入信息用加粗字体表示。
There are a few interesting things to consider about this dialog. Notice that when the PORT command is issued, it specifies a port on the client (192.168.150.80) system, rather than the server. We will see the opposite behavior when we use passive FTP. While we are on the subject, a quick note about the format of the PORT command. As you can see in the example below it is formatted as a series of six numbers separated by commas. The first four octets are the IP address while the second two octets comprise the port that will be used for the data connection. To find the actual port multiply the fifth octet by 256 and then add the sixth octet to the total. Thus in the example below the port number is ( (14*256) + 178), or 3762. A quick check with netstat should confirm this information.
仔细考虑这个对话过程我们会发现一个有趣的事情。我们可以看到当 PORT 命令被提交时,它指定了一个客户端(192.168.150.80)系统的端口而不是服务器端的。当我们用被动FTP时我们会看到相反的现象。我们再来关注PORT命令的格式。就象你在下面的例子看到的一样,它是一个由六个被逗号隔开的数字组成的序列。前四个表示IP地址,后两个组成了数据连接所用到的端口号。用第五个数*256再加上第六个数就得到了实际的端口号( (14*256) + 178) 3762。我们可以用netstat来验证这个端口信息。
testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
---> USER slacker
331 Password required for slacker.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PORT 192,168,150,80,14,178
200 PORT command successful.
---> LIST
150 Opening ASCII mode data connection for file list.
drwx------   3 slacker    users         104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.
Passive FTP
被动FTP
In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.
为了解决服务器发起到客户的连接的问题,另一种不同的FTP连接模式出现了。这就是所谓的被动模式,或者叫做PASV,当客户端通知服务器它处于被动模式时才启用。
In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.
在被动FTP模式中,客户端发起两种连接,这解决了防火墙过滤从服务器到客户端的入方向的数据端口连接的问题。当开启一个FTP连接时,客户端打开两个随机非特权本地端口(N > 1024 和N+1)。第一个端口连接服务器的21端口,与主动FTP模式中提交PORT命令并允许服务器来回连它的数据端口不同,客户端会提交PASV命令。结果是服务器会开启一个随机的非特权端口(P > 1024),并发送PORT P命令给客户端。然后客户端发起从本地端口N+1到服务器的端口P的连接来传送数据。
From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:
从服务器端防火墙的立场来说,必须打开下面的通讯端口才能支持被动模式的ftp:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1024 (Server responds to client's control port)
  • FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
  • FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)
从任何端口到服务器的21端口的连接 (入;客户端初始化的连接)
服务器的21端口到任何大于1024的端口连接 (出;服务器端响应到客户端的控制端口的连接)
从任何端口到服务器的大于1024端口的连接 (入;客户端初始化数据连接到服务器端的随机数据连接端口)
服务器的大于1024端口到远程的大于1024的端口连接  (出;服务器端发送ACks到客户端的数据端口的连接)
When drawn, a passive mode FTP connection looks like this:


具体说来,一个被动模式的FTP连接大概是这样建立的:
In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3 the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client's data port.
在第1步中,客户端的命令端口与ftp服务器的命令端口建立连接,并发送命令“PASV”。然后在第2步中,ftp服务器返回命令"PORT 2024",告诉客户端哪个端口用来侦听数据连接。在第3步中,客户端初始化一个从自己的数据端口到服务器端指定的数据端口的数据连接。最后服务器在第4步中给客户端的数据端口端返回一个"ACK"。
While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. See Appendix 1 for more information.
被动模式的FTP解决了客户端的许多问题,但同时给服务器端带来了更多的问题。最大的问题是需要允许从任意远程终端到服务器高位端口的连接。幸运的是,许多FTP守护程序,包括流行的WU-FTPD允许管理员指定FTP服务器使用的端口范围。详细内容参看附录1。
The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.
第二个问题是客户端有的支持被动模式,有的不支持被动模式,必须考虑如何能支持这些客户端,以及为他们提供解决办法。例如,Solaris提供的FTP命令行工具就不支持被动模式,需要第三方的FTP客户端,比如ncftp。
With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.
随着WWW的广泛流行,许多人习惯用web浏览器作为FTP客户端。大多数浏览器访问ftp://URLs时仅支持被动模式。这到底是好还是坏取决于服务器和防火墙的配置。
Passive FTP Example
被动FTP的例子
Below is an actual example of a passive FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.
下面是一个被动FTP会话的真实的例子。唯一改变的是服务器的名称,IP地址和用户名称。在这个例子中,FTP会话从testbox1.slacksite.com (192.168.150.80)(一个运行标准FTP命令行客户端的linux终端)发起到testbox2.slacksite.com(192.168.150.90)(一个运行ProFTPd1.2.2RC2的linux终端)。debugging(-d)标记用来在FTP客户端显示连接场景背后进行的操作。红色字体的文字是debugging信息,显示的是发送到服务器的实际FTP命令和所产生的回应信息。标准的服务器输出信息用黑色字体表示,用户的输入信息用加粗字体表示。
Notice the difference in the PORT command in this example as opposed to the active FTP example. Here, we see a port being opened on the server (192.168.150.90) system, rather than the client. See the discussion about the format of the PORT command above, in the Active FTP Example section.
注意此例中的PORT命令与主动FTP例子的不同。这里,我们看到是服务器端(192.168.150.90)而不是客户端的一个端口被打开了。可以跟上面的主动FTP例子中的PORT命令格式对比一下。
testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
---> USER slacker
331 Password required for slacker.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (192,168,150,90,195,149).
---> LIST
150 Opening ASCII mode data connection for file list
drwx------   3 slacker    users         104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.
Summary
总结
The following chart should help admins remember how each FTP mode works:
下面的图表会帮助管理员们记住每种FTP模式是怎样工作的:
Active FTP :
    command : client >1024 -> server 21
    data    : client >1024 主动FTP:
   命令连接:客户端 >1024端口 -> 服务器端 21端口
   数据连接:客户端 >1024端口
Passive FTP :
    command : client >1024 -> server 21
    data    : client >1024 -> server >1024
被动FTP:
   命令连接:客户端 >1024端口 -> 服务器端 21端口
   数据连接:客户端 >1024端口 -> 服务器端 >1024端口
A quick summary of the pros and cons of active vs. passive FTP is also in order:
下面是赞成与反对主动与被动FTP的简要总结:
Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.
主动FTP对FTP服务器端的管理有利,但对客户端的管理不利。因为FTP服务器企图与客户端的高位随机端口建立连接,而这个端口很有可能被客户端的防火墙阻塞掉。被动FTP对FTP客户端的管理有利,但对服务器端的管理不利。因为客户端要与服务器端建立两个连接,其中一个连到一个高位随机端口,而这个端口很有可能被服务器端的防火墙阻塞掉。
Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See
Appendix 1
for more information.
幸运的是,有折衷的办法。既然FTP服务器的管理员需要他们的服务器有最多的客户连接,那么必须得支持被动FTP。我们可以通过指定一个有限的FTP服务器使用端口范围来减小服务器高级端口的暴露。这样,任何不属于这个范围的端口会被服务器的防火墙阻塞。虽然这没有消灭所有针对服务器的危险,但它大大减少了危险。详细信息参看附录1。
References
参考资料
An excellent reference on how various internet protocols work and the issues involved in firewalling them can be found in the O'Reilly and Associates book, Building Internet Firewalls, 2nd Ed, by Brent Chapman and Elizabeth Zwicky.
O'Reilly出版的《组建Internet防火墙》(第二版,Brent Chapman,Elizabeth Zwicky著)是一本很不错的参考资料。里面讲述了各种Internet协议如何工作,以及有关防火墙的例子。
Finally, the definitive reference on FTP would be RFC 959, which sets forth the official specifications of the FTP protocol. RFCs can be downloaded from numerous locations, including
ftp://nic.merit.edu/documents/rfc/rfc0959.txt
.
最权威的FTP参考资料是RFC 959,它是FTP协议的官方规范。RFC的资料可以从许多网站上下载,例如:ftp://nic.merit.edu/documents/rfc/rfc0959.txt。


本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/5421/showart_34881.html
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP