File Transfer Protocol (FTP) is one of the oldest and most commonly used
protocols found on the Internet today. Its purpose is to reliably transfer
files between computer hosts on a network without requiring the user to
log directly into the remote host or have knowledge of how to use the
remote system. It allows users to access files on remote systems using a
standard set of simple commands.
This chapter outlines the basics of the FTP protocol, as well as
configuration options for the primary FTP server shipped with Red Hat Enterprise Linux,
vsftpd.
FTP uses a client server architecture to transfer files using the TCP
network protocol. Because FTP is an older protocol, it uses unencrypted
username and password authentication. For this reason, it is considered
an insecure protocol and should not be used unless absolutely
necessary. A good substitute for FTP is sftp from the
OpenSSH suite of tools. For information about configuring OpenSSH, refer
to the chapter titled OpenSSH in
Red Hat Enterprise Linux System Administration Guide. For more information about the SSH
protocol, refer to Chapter 20 SSH Protocol.
However, because FTP is so prevalent on the Internet, it is often
required to share files to the public. System administrators, therefore,
should be aware of the FTP protocol's unique characteristics.
Unlike most protocols used on the Internet, FTP requires multiple
network ports to work properly. When an FTP client application
initiates a connection to an FTP server, it opens port 21 on the
server — known as the command port. This
port is used to issue all commands to the server. Any data requested
from the server is returned to the client via a data
port. The port number for data connections, and the way
in which data connections are initialized, vary depending upon
whether the client requests the data in active
or passive mode.
The following defines these modes:
active mode
Active mode is the original method used by the FTP protocol
for transferring data to the client application. When an active
mode data transfer is initiated by the FTP client, the server
opens a connection from port 20 on the server to the IP address
and a random, unprivileged port (greater than 1024) specified by
the client. This arrangement means that the client machine must
be allowed to accept connections over any port above 1024. With
the growth of insecure networks, such as the Internet, the use of
firewalls to protect client machines is now prevalent. Because
these client-side firewalls often deny incoming connections from
active mode FTP servers, passive mode was devised.
passive mode
Passive mode, like active mode, is initiated by the FTP
client application. When requesting data from the server, the
FTP client indicates it wants to access the data in passive
mode and the server provides the IP address and a random,
unprivileged port (greater than 1024) on the server. The client
then connects to that port on the server to download the
requested information.
While passive mode resolves issues for client-side firewall
interference with data connections, it can complicate
administration of the server-side firewall. Limiting the range
of unprivileged ports offered for passive connections in the
FTP server's configuration file is one way to reduce the number
of open ports on a server and simplify the task of creating
firewall rules for the server. Refer to Section 15.5.8 Network Options for more about limiting
passive ports.