本文翻译自:What is the difference between active and passive FTP?
Will anyone please tell me what the difference between active and passive FTP? 有人请告诉我主动和被动FTP有什么区别? Which one is preferable? 哪个更好?
#1楼
参考:https://stackoom.com/question/781Z/主动和被动FTP有什么区别
#2楼
Active and passive are the two modes that FTP can run in. 主动和被动是FTP可以运行的两种模式。
For background, FTP actually uses two channels between client and server, the command and data channels, which are actually separate TCP connections. 对于后台,FTP实际上在客户端和服务器之间使用两个通道,即命令和数据通道,它们实际上是单独的 TCP连接。
The command channel is for commands and responses while the data channel is for actually transferring files. 命令通道用于命令和响应,而数据通道用于实际传输文件。
This separation of command information and data into separate channels a nifty way of being able to send commands to the server without having to wait for the current data transfer to finish. 将命令信息和数据分离到单独的通道中是一种能够将命令发送到服务器而又不必等待当前数据传输完成的极好方式。 As per the RFC, this is only mandated for a subset of commands, such as quitting, aborting the current transfer, and getting the status. 根据RFC,这仅限于命令的子集,例如退出,中止当前传输和获取状态。
In active mode, the client establishes the command channel but the server is responsible for establishing the data channel. 在主动模式下,客户端建立命令通道,但服务器负责建立数据通道。 This can actually be a problem if, for example, the client machine is protected by firewalls and will not allow unauthorised session requests from external parties. 例如,如果客户端计算机受防火墙保护并且不允许来自外部方的未经授权的会话请求,则这实际上可能是一个问题。
In passive mode, the client establishes both channels. 在被动模式下,客户端建立两个通道。 We already know it establishes the command channel in active mode and it does the same here. 我们已经知道它在活动模式下建立命令通道,它在这里也是如此。
However, it then requests the server (on the command channel) to start listening on a port (at the servers discretion) rather than trying to establish a connection back to the client. 但是,它然后请求服务器(在命令通道上)开始侦听端口(由服务器自行决定),而不是尝试建立连接回客户端。
As part of this, the server also returns to the client the port number it has selected to listen on, so that the client knows how to connect to it. 作为其中的一部分,服务器还将客户端选择要侦听的端口号返回给客户端,以便客户端知道如何连接到它。
Once the client knows that, it can then successfully create the data channel and continue. 一旦客户端知道,它就可以成功创建数据通道并继续。
More details are available in the RFC: https://www.ietf.org/rfc/rfc959.txt RFC中提供了更多详细信息: https : //www.ietf.org/rfc/rfc959.txt
#3楼
I recently run into this question in my work place so I think I should say something more here. 我最近在工作场所碰到了这个问题所以我想我应该在这里说些什么。 I will use image to explain how the FTP works as an additional source for previous answer. 我将使用图像来解释FTP如何作为以前答案的额外来源。
Active mode: 活动模式:
Passive mode: 被动模式:
In an active mode configuration, the server will attempt to connect to a random client-side port. 在活动模式配置中,服务器将尝试连接到随机客户端端口。 So chances are, that port wouldn't be one of those predefined ports. 很可能,该端口不会是这些预定义端口之一。 As a result, an attempt to connect to it will be blocked by the firewall and no connection will be established. 因此,防火墙将阻止尝试连接到它,并且不会建立连接。
A passive configuration will not have this problem since the client will be the one initiating the connection. 被动配置不会出现此问题,因为客户端将是启动连接的客户端。 Of course, it's possible for the server side to have a firewall too. 当然,服务器端也可能有防火墙。 However, since the server is expected to receive a greater number of connection requests compared to a client, then it would be but logical for the server admin to adapt to the situation and open up a selection of ports to satisfy passive mode configurations. 但是,由于与客户端相比,预计服务器会收到更多数量的连接请求,因此服务器管理员可以适应这种情况并打开一系列端口来满足被动模式配置。
So it would be best for you to configure server to support passive mode FTP. 因此,最好配置服务器以支持被动模式FTP。 However, passive mode would make your system vulnerable to attacks because clients are supposed to connect to random server ports. 但是,被动模式会使您的系统容易受到攻击,因为客户端应该连接到随机服务器端口。 Thus, to support this mode, not only should your server have to have multiple ports available, your firewall should also allow connections to all those ports to pass through! 因此,要支持此模式,您的服务器不仅必须有多个端口可用,您的防火墙还应允许连接到所有这些端口!
To mitigate the risks, a good solution would be to specify a range of ports on your server and then to allow only that range of ports on your firewall. 为了降低风险,一个好的解决方案是在服务器上指定一系列端口,然后只允许防火墙上的那个端口范围。
For more information, please read the official document . 有关更多信息,请阅读官方文档 。
#4楼
Redacted version of my article FTP Connection Modes (Active vs. Passive) : 我的文章FTP连接模式(主动与被动)的编辑版本 :
FTP connection mode (active or passive), determines how a data connection is established. FTP连接模式(主动或被动)确定如何建立数据连接。 In both cases, a client creates a TCP control connection to an FTP server command port 21. This is a standard outgoing connection, as with any other file transfer protocol (SFTP, SCP, WebDAV) or any other TCP client application (eg web browser). 在这两种情况下,客户端都会创建到FTP服务器命令端口21的TCP控制连接。这是标准的传出连接,与任何其他文件传输协议(SFTP,SCP,WebDAV)或任何其他TCP客户端应用程序(例如Web浏览器)一样)。 So, usually there are no problems when opening the control connection. 因此,打开控制连接时通常没有问题。
Where FTP protocol is more complicated comparing to the other file transfer protocols are file transfers. FTP协议比其他文件传输协议更复杂的是文件传输。 While the other protocols use the same connection for both session control and file (data) transfers, the FTP protocol uses a separate connection for the file transfers and directory listings. 虽然其他协议对会话控制和文件(数据)传输使用相同的连接,但FTP协议使用单独的连接进行文件传输和目录列表。
In the active mode, the client starts listening on a random port for incoming data connections from the server (the client sends the FTP command PORT to inform the server on which port it is listening). 在活动模式下,客户端开始在随机端口上侦听来自服务器的传入数据连接(客户端发送FTP命令PORT以通知服务器它正在侦听哪个端口)。 Nowadays, it is typical that the client is behind a firewall (eg built-in Windows firewall) or NAT router (eg ADSL modem), unable to accept incoming TCP connections. 如今,客户端通常位于防火墙(例如内置Windows防火墙)或NAT路由器(例如ADSL调制解调器)后面,无法接受传入的TCP连接。
For this reason the passive mode was introduced and is mostly used nowadays. 由于这个原因, 被动模式被引入并且现在主要使用。 Using the passive mode is preferable because most of the complex configuration is done only once on the server side, by experienced administrator, rather than individually on a client side, by (possibly) inexperienced users. 使用被动模式是优选的,因为大多数复杂配置在服务器端仅由经验丰富的管理员完成一次,而不是由客户端(可能)由没有经验的用户单独完成。
In the passive mode, the client uses the control connection to send a PASV command to the server and then receives a server IP address and server port number from the server, which the client then uses to open a data connection to the server IP address and server port number received. 在被动模式下,客户端使用控制连接向服务器发送PASV命令,然后从服务器接收服务器IP地址和服务器端口号,然后客户端使用该端口号打开与服务器IP地址的数据连接,收到服务器端口号。
Network Configuration for Passive Mode 被动模式的网络配置
With the passive mode, most of the configuration burden is on the server side. 在被动模式下,大多数配置负担都在服务器端。 The server administrator should setup the server as described below. 服务器管理员应按如下所述设置服务器。
The firewall and NAT on the FTP server side have to be configured not only to allow/route the incoming connections on FTP port 21 but also a range of ports for the incoming data connections. FTP服务器端的防火墙和NAT必须配置为不仅允许/路由FTP端口21上的传入连接,还要配置传入数据连接的一系列端口。 Typically, the FTP server software has a configuration option to setup a range of the ports, the server will use. 通常,FTP服务器软件具有配置选项,用于设置服务器将使用的一系列端口。 And the same range has to be opened/routed on the firewall/NAT. 并且必须在防火墙/ NAT上打开/路由相同的范围。
When the FTP server is behind a NAT, it needs to know it's external IP address, so it can provide it to the client in a response to PASV command. 当FTP服务器位于NAT后面时,它需要知道它的外部IP地址,因此它可以在响应PASV命令时将其提供给客户端。
Network Configuration for Active Mode 活动模式的网络配置
With the active mode, most of the configuration burden is on the client side. 在主动模式下,大部分配置负担都在客户端。
The firewall (eg Windows firewall) and NAT (eg ADSL modem routing rules) on the client side have to be configured to allow/route a range of ports for the incoming data connections. 客户端上的防火墙(例如Windows防火墙)和NAT(例如ADSL调制解调器路由规则)必须配置为允许/路由一系列端口以用于传入数据连接。 To open the ports in Windows, go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules > New Rule . 要在Windows中打开端口,请转至“ 控制面板”>“系统和安全”>“Windows防火墙”>“高级设置”>“入站规则”>“新建规则” 。 For routing the ports on the NAT (if any), refer to its documentation. 要在NAT上路由端口(如果有),请参阅其文档。
When there's NAT in your network, the FTP client needs to know its external IP address that the WinSCP needs to provide to the FTP server using PORT command. 当您的网络中存在NAT时,FTP客户端需要知道WinSCP需要使用PORT命令提供给FTP服务器的外部IP地址。 So that the server can correctly connect back to the client to open the data connection. 这样服务器就可以正确连接回客户端来打开数据连接。 Some FTP clients are capable of autodetecting the external IP address, some have to be manually configured. 某些FTP客户端能够自动检测外部IP地址,有些必须手动配置。
Smart Firewalls/NATs 智能防火墙/ NAT
Some firewalls/NATs try to automatically open/close data ports by inspecting FTP control connection and/or translate the data connection IP addresses in control connection traffic. 某些防火墙/ NAT尝试通过检查FTP控制连接和/或转换控制连接流量中的数据连接IP地址来自动打开/关闭数据端口。
With such a firewall/NAT, the above configuration is not necessary for a plain unencrypted FTP. 使用这样的防火墙/ NAT,对于普通的未加密FTP,上述配置不是必需的。 But this cannot work with FTPS, as the control connection traffic is encrypted and the firewall/NAT cannot inspect nor modify it. 但这不适用于FTPS,因为控制连接流量已加密,防火墙/ NAT无法检查或修改它。
#5楼
Active mode: -server initiates the connection. 活动模式:-server启动连接。
Passive mode: -client initiates the connection. 被动模式:-client启动连接。
#6楼
Active Mode—The client issues a PORT command to the server signaling that it will “actively” provide an IP and port number to open the Data Connection back to the client. 活动模式 - 客户端向服务器发出PORT命令,表示它将“主动”提供IP和端口号以打开数据连接回客户端。
Passive Mode—The client issues a PASV command to indicate that it will wait “passively” for the server to supply an IP and port number, after which the client will create a Data Connection to the server. 被动模式 - 客户端发出PASV命令以指示它将“被动地”等待服务器提供IP和端口号,之后客户端将创建与服务器的数据连接。
There are lots of good answers above, but this blog post includes some helpful graphics and gives a pretty solid explanation: https://titanftp.com/2018/08/23/what-is-the-difference-between-active-and-passive-ftp/ 上面有很多很好的答案,但是这篇博文包含了一些有用的图形并给出了一个非常可靠的解释: https : //titanftp.com/2018/08/23/what-is-the-difference-between-active-and -passive-FTP /
544
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
