FTP relies on a pair of TCP ports to get the job done. It operates using two connection channels:
FTP control channel, TCP Port 21: All commands you send, as well as the FTP server’s responses to those commands, go over the control connection, but any data sent back (such as ls directory lists or actual file data in either direction) will go over the data connection.
FTP data channel, TCP Port 20: This port is used for all subsequent data transfers between the client and server.
In addition to these channels, there are several varieties of FTP.
Types of FTP
From a networking perspective, the two main types of FTP are active and passive. In active FTP, the FTP server initiates a data transfer connection back to the client. For passive FTP, the connection is initiated from the FTP client. These are illustrated in Figure 15.1.
Figure 15.1 Active and passive FTP.
From a user management perspective, there are two additional types of FTP: regular FTP, in which files are transferred using the username and password of a regular user FTP server, and anonymous FTP, in which general access is provided to the FTP server using a well known universal login method.
Take a closer look at each type.
The sequence of events for active FTP is:
Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over this connection.
Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port (greater than 1024) on the client.
Thus the ls listing that you asked for comes back over the port 20 to high port connection, not the port 21 control connection.
FTP active mode, therefore, transfers data in a counter intuitive way to the TCP standard, as it selects port 20 as its source port (not a random high port that’s greater than 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.
Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading), because the firewall will not know which of the many servers behind it should receive the return connection.
Passive FTP works differently:
Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over that connection.
Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.
Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Because the client always initiates the required connections, passive FTP works better for clients protected by a firewall.
As Windows defaults to active FTP and Linux defaults to passive, you’ll probably have to accommodate both forms when deciding upon a security policy for your FTP server.
By default, the VSFTPD package allows regular Linux users to copy files to and from their home directories with an FTP client using their Linux usernames and passwords as their login credentials.
VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you to restrict the addition of new files to your system to authorized personnel.
The disadvantage of regular FTP is that it isn’t suitable for general download distribution of software as everyone either has to get a unique Linux user account or has to use a shared username and password. Anonymous FTP allows you to avoid this difficulty.
Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s and uploading diagnostic information for a technical support engineers’ attention. Unlike regular FTP where you login with a preconfigured Linux username and password, anonymous FTP requires only a username of anonymous and your e-mail address for the password. Once logged into a VSFTPD server, you automatically have access to only the default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.
As seen in Chapter 6, "Installing RPM Software," using anonymous FTP as a remote user is fairly straightforward. VSFTPD can be configured to support user-based and/or anonymous FTP in its configuration file, as you’ll see later.