2009.8.10 Passive FTP and Active FTP

Passive FTP與Active FTP模式有何不同?
參考來源Active FTP vs. Passive FTP, a Definitive Explanation

簡明扼要的解釋是:
Active FTP: Ftp server會主動用自己的port 20去連線到Ftp client的port N+1
Passive FTP: Ftp server是被動的讓ftp client來連線到data port(非port 20)



Active FTP運作方式是:
Client自己先開一個隨機port N(N>1023), 然後連線到ftp server port 21.
Client還會開一個N+1 port, 此port就是data port, 等待ftp server回應.
ftp server會用port 20與client N+1 port連線, 此時就是完成連線, 可以開始送data.
如果ftp server端有firewall, 則firewall有下列port要開:

• FTP server's port 21 from anywhere (Client initiates connection)
• FTP server's port 21 to ports > 1023 (Server responds to client's control port)
• FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
• FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)

用圖表示的話,如下:

Passive FTP運作方式是:
ftp client也是先開兩個port, 一個是port N, 另一個也是port N+1 (N>1023, 這裡都與active ftp一樣).
ftp client告知ftp server要使用passive mode.
ftp server此時會開一個port P (P>1023), 然後將此port P告知ftp client.
ftp client就會使用自己的port N+1 去連線到ftp server的port P. 然後就完成連線,準備傳送資料.

如果ftp server端有firewall, 則firewall有下列port要開:

• FTP server's port 21 from anywhere (Client initiates connection)
• FTP server's port 21 to ports > 1023 (Server responds to client's control port)
• FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
• FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

用圖表示的話,如下:

總結就是這樣:
Active FTP :
command : client >1023 -> server 21
data : client >1023 <- server 20 Passive FTP : command : client >1023 -> server 21
data : client >1023 -> server >1023

Cisco Router的ftp server好像預設值好像是passive mode, 又好像是後來的IOS取消ftp server了.
有空再來查證!