FTP Passive Mode (PASV)
#
FTP passive mode (PASV) is the only mode for FTP connections that is safe through routers and firewalls. Originally FTP was designed with "Active" mode, and windows command line never progressed beyond this. Virtually all other clients use passive mode by default, and you should configure your server to expect this. (Active mode means the FTP client tells the server what to connect to, and 99% of the time this will be invalid and fail unless you are on an internal wide open LAN.)PASV mode works by telling the client your server's IP and a port to connect to. It does this in a bit of a confusing way. it sends the IP comma separated, and two extra numbers at the end to represent the port.
Example 192,168,1,5,11,5 would mean IP 192.168.1.5 and port 11*256+5=2821Knowing the correct passive IP to return can be a tricky scenario.
If a client is connecting from the LAN, returning the WAN IP will likely be invalid.
If a client is connecting with 127.0.0.1, then that is the only valid reply IP.
If a client is connecting from an external IP, then only the WAN IP would be valid.
If a client is connecting from external, but the firewall/proxy is masking the IP as being its IP, then the only valid IP to give back would be the WAN IP, but the server wouldn't be able to detect this.
If a client is connecting using FTPES or FTPS, then giving the right IP is mandatory because the firewall/router cannot do NAT inspection on the FTP traffic and dynamically change the TCP/IP stream and modify the IP in transit.
CrushFTP versions before v11 would take the approach of guessing and trying to return the most correct IP. This often led to confusion and inconsistent behavior. CrushFTP v11 simplifies this logic with less guessing.
The IP configured should be the WAN IP. Auto might be OK if we correctly determined your WAN IP, otherwise enter it directly. if you enter in the same IP twice with a comma separating it, then we will only ever use that IP and eliminate all other logic.
Example
104.236.78.254,104.236.78.254The "FTP Aware Router / Firewall" checkbox was intended to try and be smart about the logic and determine when to return the LAN IP and let the firewall do NAT and when to return the WAN IP.
Our recommendation is to have the FTP firewall checkbox disabled. Enter your WAN IP once. If you still have an issue, enter it twice, comma separated.#
Add new attachment
Only authorized users are allowed to upload new attachments.
«
This page (revision-2) was last changed on 21-Jan-2025 04:03 by Ben Spink
G’day (anonymous guest)
Log in
CrushFTP11 | What's New
- WebInterface
- Server Admin
- User Manager
- Client Apps
- CrushBalance Load Balancer
- High Availability
- Self Registration
- Preferences
- Email Templates
- Restrictions
- Replication
- Banning
- Logging
- Encryption
- Alerts
- Folder Monitor
- Tunnels
- Syncs
- User Config
- Search Config
- Preview
- Misc
- Plugins
- Manage Shares
- PGP
- Telnet
- FAQ
- API
- Linux Install
- Virtual Linux Server
- Server Variables
- Google Authenticator and Microsoft Authenticator
- AS2 EDI
JSPWiki