Vsftp PASV mode (passive mode transfer) and port mode

What is PASV mode (passive mode transfer)? How does he work? FTP connections typically have two connections, one for client and server transfers, and one for data transfer. FTP service programs generally support two different modes, one is Port mode and the other is Passive mode (Pasv Mode). Let me first talk about the difference between the two different modes of connection. First assume that the client is C and the server is in S.Port mode: when client C connects to server S, it uses Port mode, then client C sends a command to tell server S (client C is local) Open a port N waiting for you to make a data connection. When the server S receives the Port command, it will connect to the port N opened by the client. This data connection is generated. Pasv mode: When client C connects to server S, server S sends a message to client C. This information is (server S opens a port M locally, you connect me now), when the client After receiving this information, terminal C can connect to the M port of server S. After the connection is successful, the data connection is also established. From the above explanation, you can see that the main difference between the two modes is the difference in the establishment of the data connection. For the Port mode, the client C opens a port locally and the server S to connect to establish a data connection; and the Pasv mode is Server S opens a port waiting for client C to establish a data connection. Do I need to set the transfer mode to PASV mode? If you connect to the INTERNET as shown below, you need to set it to PASV mode. There are two ips on the route. One is the intranet ip (that is, your gateway address). Is the external network IP, all the computers in your LAN are sharing this 218.63.1.5 access to the INTERNET (the middle through the 192.168.1.1 gateway), let us look at the detailed process of a connection, so that you can further understand why you need to set Become PASV mode Transfer: When you download the movie through the download tool or use the browser, you will start to connect to the FTP server. When the FTP service receives your connection request, it will send a response message to the client and start waiting for the user's authentication information.--> After the authentication is passed, the data connection is established. If you are not set to pasv mode, then the client segment (download tool) will open a data port on the local computer and then send a "command" to the FTP service segment, (I have opened n port you can now connect to me), then the FTP server segment will start to connect to your N port of the ip address (but the connection is failed) You access the internet ftp service segment through the 192.168.1.1 gateway (your routing device). He is actually connected to your routing device with the external network address of 218.63.1.5. It is not connected to the download tool. Port, for example, you are using the client 192.168.1.2, the FTP service segment cannot connect to your computer 192.168.1.2) listening port N at this time, so you will see the error message sent by the server, prompting you 192.168. 1.2 The open port cannot be connected. For information, you need to set the transfer mode to PASV mode. If you are using PASV mode, then when your ftp is authenticated, the client segment first sends a PASV command to the server. After the service segment accepts the command, it opens a port and tells the client segment that I have opened a port. You can now connect to the " client segment (download tool) to receive the information, then the connection service segment has been opened. Port, thus completing the data connection, all ftp downloaded data streams will be transmitted through this port and should be loaded when using iptables for NAT (ip_nat _ftp, ip_conntrack_ftp), in order to connect to the ftp server. Otherwise pasv passive mode can not connect to the ftp server. FTP mode and data port FTP are divided into two categories, PORT FTP and PASV FTP, and PORT FTP is a general form of FTP. The two FTPs operate the same when establishing a control connection. The client first establishes a control link with the FTP server's control port (the default value is 21), and transmits the operation command through this link. The difference is in the way they use the data transfer port (ftp-data). PORT FTP specifies the port used for data transfer by the FTP server. The default value is 20. PASV FTP is the port on which the FTP client determines the data transmission. PASV FTP is mainly based on the existence of a firewall environment. The client communicates with the server (the client sends a data transmission request to the server to include the data transmission port), and determines the data transmission port between the two. For convenience. Port_enable=YES| NO Set this option to NO if you want to cancel the PORT mode when the data is connected. The default is YES. Connetc_from_port_20=YES| NO Controls whether to use 20-port (ftp-data) when transferring data in PORT mode. YES is used, NO is not used. The default value is NO, but this parameter is set to YES in the vsftpd.conf file that comes with RHL. Ftp_data_port=port number sets the ftp data transfer port (ftp-data) value. The default is 20. This parameter is used in PORT FTP mode. Port_promiscuous=YES| The default value of NO is NO. When YES, cancel the PORT security check. This check ensures that outgoing data can only be connected to the client. Be careful to turn this option on. Pasv_enable=YES| NOYES, allows PASV mode when transferring data. NO, PASV mode is not allowed. The default is YES. Pasv_min_port=port numberpasv_max_port=port number is set in PASV mode. The lower and upper bounds of the port range can be used to establish data transmission. 0 means arbitrary. The default is 0. Setting the port range to a relatively high range, such as 50000-60000, will help improve security. Pasv_promiscuous=YES| When this option is activated, the PASV mode security check will be turned off. This check ensures that the data connection and control connection are from the same IP address. Be careful to turn this option on. The only reasonable use of this option is in an organization that consists of a secure tunneling scheme. The default is NO. Pasv_address=This option is a numeric IP address that responds to the PASV command. The default value is none, that is, the address is obtained from the incoming connectd socket.