FTP protocol originally required ( after the command channel from client to server established - client conneced to port 21 ) server to connect from it's port ( 20 ) to the client's assigned data port ( above 1024 ). This mode nowadays called as "active mode" had problems with various network masquerades and client firewalls as well (because server issues CONNECTion to CLIENT).
Therefore, the other, PASSIVE mode was added to the FTP, which doesn't require server to send syn packet to client. The process works the way the client issues connection from some high-port ( > 1024 ) to FTP server ( to the data port 21 ), then for data transfer client will again sends ack to the FTP server to some of the server's high ports.
When your FTP server is firewalled, you will need to allow both modes, as some clients still have some firewalls in the way which prevent the active mode access.
To allow passive mode in vfstpd (which is the default ftpd in CentOS) you should add lines below to the vsftpd.conf. Vsftpd will use the port range specified to assign data channels in passive mode. One port to one client data connection.
pasv_enable=yes
pasv_max_port=20000
pasv_min_port=20050
Plus, if you host has the standard CenOS/RedHat firewall on you should add the lines which will allow client to connect the server's high port. The required port range in iptables is specified by colon ( 20000:20050 ).
Žádné komentáře:
Okomentovat