NOTE: CentOS Enterprise Linux 5 is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux 5 is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux 5.
File Transfer Protocol (FTP) is one of the oldest and most commonly
used protocols found on the Internet today. Its purpose is to
reliably transfer files between computer hosts on a network without
requiring the user to log directly into the remote host or have
knowledge of how to use the remote system. It allows users to
access files on remote systems using a standard set of simple
commands.
This chapter outlines the basics of the FTP protocol, as well as
configuration options for the primary FTP server shipped with Red
Hat Enterprise Linux, vsftpd.
22.1. The File Transport Protocol
However, because FTP is so prevalent on the Internet, it is often
required to share files to the public. System administrators,
therefore, should be aware of the FTP protocol's unique
characteristics.
22.1.1. Multiple Ports, Multiple Modes
Unlike most protocols used on the Internet, FTP requires
multiple network ports to work properly. When an FTP client
application initiates a connection to an FTP server, it opens
port 21 on the server — known as the command
port. This port is used to issue all commands to
the server. Any data requested from the server is returned to
the client via a data port. The port
number for data connections, and the way in which data
connections are initialized, vary depending upon whether the
client requests the data in active or
passive mode.
The following defines these modes:
active mode
Active mode is the original method used by the FTP
protocol for transferring data to the client
application. When an active mode data transfer is
initiated by the FTP client, the server opens a
connection from port 20 on the server to the IP address
and a random, unprivileged port (greater than 1024)
specified by the client. This arrangement means that the
client machine must be allowed to accept connections over
any port above 1024. With the growth of insecure
networks, such as the Internet, the use of firewalls to
protect client machines is now prevalent. Because these
client-side firewalls often deny incoming connections
from active mode FTP servers, passive mode was devised.
passive mode
Passive mode, like active mode, is initiated by the FTP
client application. When requesting data from the server,
the FTP client indicates it wants to access the data in
passive mode and the server provides the IP address and a
random, unprivileged port (greater than 1024) on the
server. The client then connects to that port on the
server to download the requested information.
While passive mode resolves issues for client-side
firewall interference with data connections, it can
complicate administration of the server-side
firewall. You can reduce the number of open ports on a
server by limiting the range of unprivileged ports on
the FTP server. This also simplifies the process of
configuring firewall rules for the server. Refer to Section 22.5.8, “Network Options” for more about
limiting passive ports.