Differences
This shows you the differences between the selected revisions of the page.
ftp_modes 2015-01-07 | ftp_modes 2022-04-30 (current) | ||
Line 1: | Line 1: | ||
- | ====== FTP Connection Modes ====== | + | ====== FTP Connection Modes (Active vs. Passive) ====== |
[[ftp|FTP]] may operate in an active or a passive mode, which determines how a data connection is established. In both cases, a client creates a TCP control connection to an FTP server command port 21. This is a standard outgoing connection, as with any other file transfer protocol (SFTP, SCP, WebDAV) or any other %%TCP%% client application (e.g. web browser). So, usually there are no problems when opening the control connection. | [[ftp|FTP]] may operate in an active or a passive mode, which determines how a data connection is established. In both cases, a client creates a TCP control connection to an FTP server command port 21. This is a standard outgoing connection, as with any other file transfer protocol (SFTP, SCP, WebDAV) or any other %%TCP%% client application (e.g. web browser). So, usually there are no problems when opening the control connection. | ||
- | Where %%FTP%% protocol is more complicated comparing to the other file transfer protocol are file transfers. While the other protocols use the same connection for both session control and file (data) transfers, the %%FTP%% protocol uses a separate connection for the file transfers. | + | Where %%FTP%% protocol is more complicated comparing to the other file transfer protocols are file transfers. While the other protocols use the same connection for both session control and file (data) transfers, the %%FTP%% protocol uses a separate connection for the file transfers and directory listings. |
+ | |||
+ | ~~AD~~ | ||
In the //active// mode, the client starts listening on a random port for incoming data connections from the server (the client sends the %%FTP%% command ''PORT'' to inform the server on which port it is listening). Nowadays, it is typical that the client is behind a firewall (e.g. built-in Windows firewall) or NAT router (e.g. ADSL modem), unable to accept incoming %%TCP%% connections. | In the //active// mode, the client starts listening on a random port for incoming data connections from the server (the client sends the %%FTP%% command ''PORT'' to inform the server on which port it is listening). Nowadays, it is typical that the client is behind a firewall (e.g. built-in Windows firewall) or NAT router (e.g. ADSL modem), unable to accept incoming %%TCP%% connections. | ||
Line 16: | Line 18: | ||
With the //passive// mode, most of the configuration burden is on the server side. The server administrator should setup the server as described below. | With the //passive// mode, most of the configuration burden is on the server side. The server administrator should setup the server as described below. | ||
- | The firewall and NAT on the FTP server side have to be configured not only to allow/route the incoming connections on %%FTP%% port 21,((Or implicit FTPS port 990)) but also a range of ports for the incoming data connections. Typically, the %%FTP%% server software has a configuration option to setup a range of the ports, the server will use. And the same range has to be opened/routed on the firewall/%%NAT%%. | + | ~~AD~~ |
+ | |||
+ | The firewall and NAT on the FTP server side have to be configured not only to allow/route the incoming connections on %%FTP%% port 21,((Or implicit FTPS port 990.)) but also a range of ports for the incoming data connections. Typically, the %%FTP%% server software has a configuration option to setup a range of the ports, the server will use. And the same range has to be opened/routed on the firewall/%%NAT%%. | ||
When the %%FTP%% server is behind a %%NAT%%, it needs to know it's external IP address, so it can provide it to the client in a response to ''PASV'' command. | When the %%FTP%% server is behind a %%NAT%%, it needs to know it's external IP address, so it can provide it to the client in a response to ''PASV'' command. | ||
- | It is typical, that the %%FTP%% server is not configured properly and provides its internal IP address, that cannot be used from a client network. By default WinSCP detects, when an unroutable IP address is provided, and uses a server (control connection) address instead.((Actually very rarely, if ever, the %%IP%% address of the data connection is different from the %%IP%% address of the control connection.)) You can tell that this happened from [[logging|a session log]]: | + | It is common, that the %%FTP%% server is not configured properly and provides its internal IP address, that cannot be used from a client network. By default WinSCP detects, when an unroutable IP address is provided, and uses a server (control connection) address instead.((Actually very rarely, if ever, the %%IP%% address of the data connection is different from the %%IP%% address of the control connection.)) You can tell that this happened from [[logging|a session log]]: |
<code> | <code> | ||
Server sent passive reply with unroutable address ..., using host address instead. | Server sent passive reply with unroutable address ..., using host address instead. | ||
</code> | </code> | ||
- | |||
- | When the %%NAT%% happens on a client side, what the %%FTP%% server cannot know, the IP address it provides is wrong too. You can force WinSCP to ignore the %%IP%% address provided using a //[[ui_login_ftp|Force IP address for passive mode connections]]// session setting. | ||
Learn how to: | Learn how to: | ||
Line 32: | Line 34: | ||
* [[guide_windows_ftps_server#firewall|Configure port range for data connections and external IP address on Microsoft IIS FTP Server]]; | * [[guide_windows_ftps_server#firewall|Configure port range for data connections and external IP address on Microsoft IIS FTP Server]]; | ||
* [[guide_azure_ftps_server#firewall|Route port range for data connections on Microsoft Azure firewall/NAT]]. | * [[guide_azure_ftps_server#firewall|Route port range for data connections on Microsoft Azure firewall/NAT]]. | ||
+ | |||
+ | ==== [[passive_local]] Notes for Uncommon Local Network Configurations ==== | ||
+ | |||
+ | When the %%NAT%% happens on a client side, what the %%FTP%% server cannot know, the IP address it provides is wrong too (from a client's perspective). You can force WinSCP to ignore the %%IP%% address provided by the server using a //[[ui_login_ftp|Force IP address for passive mode connections]]// session setting. | ||
+ | |||
+ | When using a restrictive local firewall that blocks even outgoing connections, you need to open not only control connection port 21, but also a port range for data connections. To open as little ports as possible, find out what ports is the %%FTP%% server configured to use. If you cannot know that, you have to open all unprivileged port range, 1024--65535. | ||
===== [[active]] Network Configuration for Active Mode ===== | ===== [[active]] Network Configuration for Active Mode ===== | ||
Line 37: | Line 45: | ||
With the //active// mode, most of the configuration burden is on the client side. | With the //active// mode, most of the configuration burden is on the client side. | ||
- | The firewall (e.g. Windows firewall) and NAT (e.g. ADSL modem routing rules) on the client side have to be configured to allow/route a range of ports for the incoming data connections. As WinSCP does not allow configuring a range of the ports it uses for data connections, all ports in Windows dynamic port range 49152 - 65535((For Windows Vista and later. &winvista For details refer to //Remarks// section in documentation of ''[[msdn>ms737550|bind]]'' WinAPI function. )) have to be opened. To open the ports, go to //Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules > New Rule//. For routing the ports on the %%NAT%% (if any), refer to its documentation. | + | The firewall (e.g. Windows firewall) and NAT (e.g. ADSL modem routing rules) on the client side have to be configured to allow/route a range of ports for the incoming data connections. You should restrict [[ui_pref_network|range of local ports that WinSCP uses for the active mode]]. Then open those ports in Windows Firewall. Go to //Control Panel > System and Security > Windows Defender Firewall//((//Windows Firewall// on older versions of Windows.))// > Advanced Settings > Inbound Rules > New Rule//. &wincp &win10 For routing the ports on the %%NAT%% (if any), refer to its documentation. |
When there's %%NAT%% in your network, you have to configure an external IP address that the WinSCP needs to provide to the %%FTP%% server using ''PORT'' command. So that the server can correctly connect back to WinSCP to open the data connection. For that use //[[ui_pref_network|External IP address]]// setting in Preferences. | When there's %%NAT%% in your network, you have to configure an external IP address that the WinSCP needs to provide to the %%FTP%% server using ''PORT'' command. So that the server can correctly connect back to WinSCP to open the data connection. For that use //[[ui_pref_network|External IP address]]// setting in Preferences. | ||
- | ===== Smart Firewalls/NATs ===== | + | ===== [[smart]] Smart Firewalls/NATs ===== |
- | Some firewalls/NATs try to automatically open/close data ports by inspecting %%FTP%% control connection and/or translate the data connection %%IP%% addresses in control connection traffic. | + | Some firewalls/NATs try to automatically open/close data ports by inspecting %%FTP%% control connection and/or translate the data connection %%IP%% addresses in control connection traffic.((For example in the built-in Windows firewall, the function is called ''StatefulFTP''.)) |
With such a firewall/%%NAT%%, the above configuration is not necessary for a plain unencrypted %%FTP%%. But this cannot work with [[ftps|FTPS]], as the control connection traffic is encrypted and the firewall/%%NAT%% cannot inspect nor modify it. | With such a firewall/%%NAT%%, the above configuration is not necessary for a plain unencrypted %%FTP%%. But this cannot work with [[ftps|FTPS]], as the control connection traffic is encrypted and the firewall/%%NAT%% cannot inspect nor modify it. | ||
- |