1

In Active Mode, FTP will use a port to connect to the client port. So in this mode, can the FTP use different local ports while initiating outgoing connections (which means FTP has different local ports for all data channels)?

In Passive Mode, FTP will send back a port number through command channel to client then listen on this port number. So in this mode, can the FTP always send back a same local port number such as 1234 to the client in this mode (which means FTP has a same local port for all data channels)?

Is there any method for use to configure such data port for the FTP Server? We assume the FTP server will work behind NAT.

Regarding the FTP Active Mode and Passive Mode, see this post and this article

Community
  • 1
  • 1
Wallace
  • 561
  • 2
  • 21
  • 54

1 Answers1

0

I'm going to assume you're using vsftpd since you tagged your post linux and this is the most common server on modern Linux machines.

For active mode, you can disable the connect_from_port_20 option in vsftpd.conf to cause the server to use ephemeral local ports for active (PORT) outgoing data connections. The default for this option is NO but most distributions' stock configuration files set it to YES. If this is set to YES you can also set the ftp_data_port option to use a fixed local data port other than 20.

For passive mode, this is generally not supported, because of the possibility of promiscuous connections. If the server is to allow incoming data connections from IP addresses other than the client's, it has to use its own local port numbers to keep track of which data connections correspond to which control connections.

You can, however, restrict the range of local ports used by the server for PASV connections, by setting the pasv_max_port and pasv_min_port options.

See the vsftpd documentation for more information on all of these configuration options.

TypeIA
  • 16,916
  • 1
  • 38
  • 52
  • yes, we are using VSFTP. For passive mode, is it allowed to set the pasv_max_port and pasv_min_port to a same number? If yes, then we can let the FTP server use a same local data port. – Wallace Dec 26 '13 at 14:42
  • Because it is behind NAT, so I think the only choice is Passive Mode. Regarding the part -- "it has to use its own local port numbers to keep track of which data connections correspond to which control connections", I don't understand. As far as I know, the ftp server can distinguish all connections by (LocalIP, LocalPort, PeerIP, PeerPort), so even it uses a same LocalIP, LocalPort it still can distinguish these connections, can't it? – Wallace Dec 26 '13 at 14:47
  • I don't know what happens if you set the min/max to the same number. I suggest trying it, I suppose it may work. As for distinguishing connections, no, if FXP ("promiscuous connections") are supported, the remote address/port of the incoming data connection cannot be assumed to match that of the control connection. It may be a third party agent connecting to the data port to transfer data. Read the Wikipedia link on FXP. – TypeIA Dec 26 '13 at 14:55
  • It works but it can only service one client at a time. – Wallace Jan 02 '14 at 23:13