|
|
With regards to the difference between PASV FTP and Normal FTP:
Both PASV FTP and Normal FTP work in the same manner for the initial
"Control Channel" connection, which occurs as follows:
The external user allocates two port numbers for the FTP session. The first
port number is reflected in the connection that's used to TCP port 21, on
the FTP server. This is referred to as the "Control or Command Channel".
The usage of the second port number allocated by the external user, as well
as how the connection is established is where the difference occurs...
If the external user sends the FTP server a PORT (Normal FTP) command,
which also contains the second allocated port number inside the data of the
packet. Then the FTP server initiates the next connection to the external
user. This occurs from TCP port 20 (on the FTP server) to whatever the
allocated second port number is. This is referred to as the "Data Channel"
connection.
If you've noticed, it's the FTP server which initiated the connection
outbound, to the external user. In the world of security and firewalls,
this can be a very bad thing. Hence, the reason why PASV FTP was created.
This is also a reason why some FTP servers do not accept the PORT command.
If the user sends the FTP server a PASV (PASV FTP) command, then the FTP
server responds back to the external user with a port number that it has
allocated. SPECIAL NOTE: The port number to be used, AS WELL AS the FTP
server's IP Address is embedded inside the data of the packet sent to the
external user.
When the user receives this packet, the external user initiates the "Data
Channel" connection from its second allocated port number, to the IP Address
and port number provided from the FTP server.
See the difference? In a PASV connection, the "Data Channel" is
initiated/created by the external user. In a Normal connection, it's
established by the FTP server.
Note: All web browsers use PASV FTP as its means of FTP. Although I have
heard a rumor that Internet Explorer 5.0 will support both. I have yet to
confirm this...
Now, let's look at the "Special Note"...
To reiterate, in a PASV FTP session, the FTP server tells the external user
what the FTP servers' IP Address is, as well as what port number to initiate
an inbound connection to.
If you're using NAT (Network Address Translation), the FTP server is
probably going to be an IP Address within the established "Private Range"
(although that really isn't the issue). Now, say for instance the FTP
server is 192.168.100.10 and an external user is trying to initiate a PASV
FTP session to this FTP server. Because the IP Address 192.168.100.10 as
well as the port number is embedded inside the packet and because a lot of
NAT implementations cannot "rewrite" this information. The external user
receives this information and will try to initiate the "Data Channel"
connection to an IP Address (192.168.100.10) that will never leave their
local LAN. Hence PASV FTP fails inbound through NAT.
I hope I've explained this well enough...
|
|
