Q : PASV or PORT what are they and which to use?
target audience : ftp users / ftp site owners
A : Most of the ftp users never know what are PASV (Passive) and PORT commands , and of course these are not your fault , first of all you must know that each FTP session uses 2 TCP connections , and when you connect to a FTP server it uses the first one , and when you want to do a DIR LISTING or FILE TRANSFER , it requires the second TCP connection , and these 2 commands are just used for BUILDING (negotiate) the second TCP connection .
You may feel strange that why there are 2 commands for DATA connection , but not just one , this would be a good question , in the beginning , a PORT command should be enough , however with the introduce of large amount of FIREWALL softwares and NAT devices , this PORT command became useless , hence the PASV command was introduced , it is also known as FIREWALL friendly data transfer .
Now we are going to tell you what's the difference between these 2 commands :
PORT : the ftp client TELLS the ftp server to connect to ftp client's IP address (with a port number)
PASV : the ftp server TELLS the ftp client to connect to ftp server's IP address (with a port number)
So it won't be hard to realize that :
PORT will fail : if the ftp client doesn't even know its own real address (when this client is behind a NAT)
PASV will fail : if the ftp server doesn't even know its own real address (when this server is behind a NAT)
So where can you see these PORT/PASV commands and replies ?! , yeah , get a better FTP client with a status window :) , we'll say : FlashFXP , CuteFTP , Windows Commander and too many to mention .. but of course , there are some clients which hide these commands/replies so you will never see them .
Now you should know where to configure if you meet PORT and PASV problems ..
Prob 1: your ftp client can not LIST DIR because you see a "PORT command failed error" , because this command is sent by FTP client so if the client's IP+PORT listed in this command looks like an address behind the NAT
Address
Allocation for Private Internets
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
You know it's the ftp client's fault , you can try to tell this FTP user to setup his FTP client properly , ask him to user PASV mode , never use PORT mode , since his FTP client can't tell the difference
Prob 2: your ftp client can connect to a FTP server , but can't LIST DIR and you see an error : PASV failed , no one connects to IP:PORT , now you need to look at the IP+PORT ... does it look like an IP address behind a NAT ?
Address
Allocation for Private Internets
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Is this possible ? PORT 192,168,0,X,A,B and server reports connection is made successfully ? Yes , this could happen * the server doesn't build the connection but reports connection is made , many server did this , well our server doesn't do that! * a transparent proxy is between ftp client and server , such as Microsoft Windows XP internet connection sharing , it can translate PORT PRIVATE_IP to legal IP without letting the ftp client to know , however it only works with ftp server that listens on port 21
|
if so , the server owner should configure it properly , he should not let the FTP server to use that internal IP address ( read : http://www.raidenftpd.com/en/raiden-ftpd-doc/howto-setup-ip.html ) , if the IP+PORT looks fine and it is the same as the server's IP , the possibilities become multiple , and usually you can't not know the real reason at once , you must try the following steps .
1.Change to another FTP client software / upgrade version of your FTP client software , yes don't doubt that there are BADly designed ftp clients in the world and we will not say their name here . also note that when you do a FXP , the other FTP server becomes a FTP client also , and of course , there are badly designed FTP server in the world and we will not say their name here .
2.IF you are a FTP user , check if you are running any FIREWALL/Securitry application that blocks the 2nd connection , remove it
3.IF you are a site owner , check if you are running any FIREWALL/Securitry application that blocks the 2nd connection , remove it
Are all the problems gone ? Sorry but the answer is NO , and you will never figure it out unless you are sitting on both side of the server/client's network , the reason is simple , how can you know if there is ANY FIREWALL in the client's network ? or as a client , how can you know if there is ANY FIREWALL in the server's network ? the answer is ... YOU NEVER KNOW .
and even if you own both of the server and client computers , how do you know if the network administrator or ISP had a firewall installed on the GATEWAY machine of your network or not ? the answer is still YOU NEVER KNOW ..
so when you get these errors .. try the above steps and find out your OWN ANSWER , because RaidenFTPD has no PASV/PORT problem and since no one (even yourself) will probably NEVER know the real reason . you must find it out by yourself . and the necessary knowledge were all listed in this page .
That's ALL
