Udostępnij za pośrednictwem


Passive FTP Service on action

Hi everyone,

Nowadays i have came across some number of questions, which one is better for FTP mode: Active or Passive mode?

We mostly recommend using passive mode, if you face your server to internet. This is also mentioned on IIS.Net article, that active mode is no more recommended, and passive connections work much better in Internet scenarios and recommended by RFC 1579 (Firewall-Friendly FTP).

FTP Service, when a passive connection established, makes the data connection (we have one control, and one data connection) based on the "FTP Firewall Support" settings that are configured from server level. Just to give some idea, about how it works, i made some demonstration below. For example, first, i configure "FTP Firewall support" like below on my server:

 

blogFTP

After that, when i start "ftpsvc" (cmd: net start ftpsvc), i can see that it start to listen from control port:

c:\>netstat -ano | findstr ":21 "
TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       2656 ( pid of FTPSVC process)
TCP    [::]:21                [::]:0                 LISTENING       2656

When i start to make ftp requests to the server, it obeys the port range that i have set on "FTP Firewall Support" settings.

c:\ >netstat -ano | findstr "2656" (2656 process ID - FTPSVC)
TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       2656
TCP    [::]:21                [::]:0                 LISTENING       2656
TCP    [::1]:21               [::1]:1482             ESTABLISHED     2656 Control port between FTP client and FTPSVC. (first file)
TCP    [::1]:21               [::1]:1483             ESTABLISHED     2656 Control port between FTP client and FTPSVC. (second file)
TCP    [::1]:2501             [::1]:1485             ESTABLISHED     2656 Data port between FTP client and FTPSVC. (first file)
TCP    [::1]:2505             [::1]:1490             ESTABLISHED     2656 Data port between FTP client and FTPSVC. (second file)

 

You can easily see above that, data connection are selected from port numbers, which we have limited on Firewall Support settings. So you can configure your firewall with this range you have defined.

Also, i want to note that, "FTP Current Sessions" view on "IIS Manager" is very usefull to see, what is happenning at that moment. Here it goes, when i was checking the ports:

blogFTP2

 

I hope you found this blog usefull,

Have a great day,

Mert