Network Configuration: Difference between revisions

From FileZilla Wiki
Jump to navigationJump to search
(Revert spam)
Line 2: Line 2:
This documentation describes the history of the FTP protocol and how some aspects of the protocol work. Read it carefully, it will save you a lot of trouble setting up FTP.
This documentation describes the history of the FTP protocol and how some aspects of the protocol work. Read it carefully, it will save you a lot of trouble setting up FTP.


== Baggrund ==
== Background ==


En oversigt over de historiske og tekniske baggrund af FTP-protokollen. For detaljeret dybdegående information se [[File Transfer Protocol | specifikationer]].
An overview of the historical and technical background of the FTP protocol. For detailed in-depth information see [[File Transfer Protocol|specifications]].


=== Historisk Baggrund ===
=== Historical Background ===


Jeg DET hurtigt Levende Verden AF internettet, ER File Transfer Protocol ikke bare Gamle, DET ER Gamle. Tidlige udkast AF protokollen Går sa Langt Tilbage SOM 1971, MED de nuværende Specifikationer, der FRA 1985. Protokollen Maske endda be Ældre ende grave!
In the fast living world of the internet, the File Transfer Protocol is not just old, it's ancient. Early drafts of the protocol go back as far as 1971, with the current specifications being from 1985. The protocol might even be older than you!


Dengang var Internettet primært anvendes AF universiteter OG forskningscentre. Fællesskabet var beskeden, skab brugere kendte hinanden OG Allé var samarbejder sammen. Internettet var da venlig, tillidsfuld Sted. Sikkerhed var ikke en bekymring.
Back then, the Internet was mainly used by universities and research centers. The community was small, many users knew each other and all were collaborating together. The internet was a friendly, trusting place. Security was not a concern.


Siden da Administrator massevis ændret. Internettet ER Nu allestedsnærværende, MED millioner AF brugere på kommunikere MED hinanden in skab forskellige Mader.
Since then, a lot has changed. The Internet is now ubiquitous, with millions of users communicating with each other in many different ways.
Internettet ER Nu da fjendtlig Sted. Tilgængeligheden OG åbenhed Administrator tiltrukket hackere, der udnytter design begrænsninger, ufuldstændige implementeringer, benytter normalt OG manglende erfaring Andre brugere. Et velkendt software Selskab i Redmond, WA sikkert spillet en Rolle.
The internet is now a hostile place. The availability and openness has attracted malicious users who exploit design limitations, incomplete implementations, bugs and the inexperience of other users. A well-known software company located in Redmond, WA certainly played a part in this.


Fri mærkning forsøg Administrator været Gjört i miste disse problemer:
Several attempts have been made to address these problems:
* [Http: / / en.wikipedia.org / wiki / Network_address_translation NAT] (Network Address Translation) routere. Skab AF de værter OG routere in internettet Bruge [http://en.wikipedia.org/wiki/IPv4 IPv4] TAGER. Antallet AF værter tilsluttet Til internettet is ved på Na IPV4 design grænse for antallet AF Adresser ([http://en.wikipedia.org/wiki/IPv6 IPv6] is designet Til at lindre This page). NAT-routere tillader Fri mærkning Systemer inden for en LAN Til at oprette forbindelse Til omverdenen MED EN ekstern IP Adresse.
* [http://en.wikipedia.org/wiki/Network_address_translation NAT] (Network Address Translation) routers. Many of the hosts and routers on the internet use the [http://en.wikipedia.org/wiki/IPv4 IPv4] protocol. The number of hosts connected to the internet is reaching IPV4's design limit for the number of addresses([http://en.wikipedia.org/wiki/IPv6 IPv6] is designed to relieve this). NAT routers allow multiple systems within a LAN to connect to the outside world with one external IP address.
* [Http: / / en.wikipedia.org / wiki / Personal_firewall Personlige firewalls] forsøger at beskytte personlige Computere mod Angreb FRA hackere.
* [http://en.wikipedia.org/wiki/Personal_firewall Personal firewalls] try to protect personal computers from attacks by malicious users.


Desværre bød NAT OG personlige firewalls konflikt MED FTP oftere ende ikke. For at gore tingene værre, SIG nogle AF DEM Administrator endda Mangler SELV, skaber yderligere problemer MED FTP.
Unfortunately, both NAT and personal firewalls conflict with FTP more often than not. To make things worse, some of them even have flaws themselves, causing additional problems regarding FTP.
=== Technical background ===


=== Teknisk Baggrund ===
What distinguishes FTP from most other protocols is the use of secondary connections for file transfers. If you connect to an FTP server, you establish the so-called ''control connection'', over which the FTP commands and their replies are transferred. In order to transfer a file or a directory listing, the client sends some command over the control connection to establish the ''data connection''.


DET, der adskiller FTP FRA de fleste Andre protokoller is brugen AF sekundære forbindelser for filoverførsler. Hvis du opretter forbindelse Til en FTP-server, SKAL du oprette de såkaldte''kontrol forbindelse'', over hvilken FTP kommandoer OG deres svar ER overført. For at overføre en fil Eller da Mappe Free, forbindelse afsenderen klienten en Kommando over kontrollen på etablere''dataforbindelse''.
This data connection can be established in two different ways, called active mode and passive mode.


This dataforbindelse KAN etableres in til forskellige Mader, også kaldet Aktiv tilstand OG passiv tilstand.
In passive mode, which is the recommended mode, the client sends the PASV command to the server, and the server responds with an address. The client then issues a command to transfer a file or to get a directory listing and establishes a secondary connection to the address returned by the server.


Jeg passiv tilstand, SOM ER den anbefalede tilstand, afsender kunden PASV Kommando Til Serveren, OG Serveren Svarer MED en Adresse. Klienten derefter udsteder en Kommando Til at overføre en fil Eller på fa en Mappe Free OG etablerer en Sekundær tilknytning Til den Adresse, der returneres AF Serveren.
In active mode, the client opens a socket on the local machine, and tells its address to the server using the PORT command. Once the client issues a command to transfer a file or listing, the server will connect to the address provided by the client.


Jeg Aktiv tilstand, Åbner kunden et Stik in den Lokale Maskine, OG fortæller synd Adresse Til Serveren ved hjælp AF PORT kommandoen. Nar kunden afgiver en Kommando Til at overføre en fil Eller Free, VII, Serveren skal forbinde Til den Adresse, SOM kunden.
In both cases, the actual file or listing is then transferred over the data connection.


Jeg begge tilfælde den faktiske fil Eller Free overføres derefter via dataforbindelse.
In general, establishing outgoing connections requires less configuration on the routers/firewalls involved than establishing incoming connections. In passive mode, the connection is outgoing on the client side and incoming on the server side. In active mode however, the roles are reversed: The data connection is incoming on the client side and outgoing on the server side.
Please note that this only makes a difference for connection establishment: Once the data connection gets established it can be used for either up- or downloads.


Generelt kræver oprettelse udgående forbindelser mindre Konfiguration in router / firewalls involveret udgangen oprettelse indgående forbindelser. Jeg passiv tilstand, ER forbindelsen udgående in klientsiden OG indgående in Serveren side. Jeg Aktiv tilstand is hund rollerne Vendt: Den dataforbindelse is indgående in klientsiden OG udgående in Serveren side.
A common network setup might look like this:
Bemærk venligst at dette Kun gor en ForskEL for tilslutning etablering: Nar dataforbindelsen bliver Oprettet DET KAN Bruges Til Docenter op-Eller downloads.


En fælles Netværk setup kunne se Sadan UD:
[[Image:FTP1.png|center]]


[[Billede: FTP1.png | center]]


So in passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side however, only outgoing connections have to be allowed, which will already be the case most of the time.


SA i passiv tilstand, router OG firewall in Serveren side Skal konfigureres Til at acceptere OG videresende indgående forbindelser. In klientsiden Administrator hund Kun udgående forbindelser på fa lov, SOM allerede VII, be tilfældet DET meste AF tiden.
Analogous in active mode, the router and firewall on the client side need to be configured to accept and forward incoming connections. Apparently on the server side, only outgoing connections have to be allowed.


Tilsvarende i Aktiv tilstand, router OG firewall in klientsiden Skal konfigureres Til at acceptere OG videresende indgående forbindelser. Tilsyneladende in Serveren side, Kun udgående forbindelser Skal be tilladt.
Since usually one server provides a service for many users, it is far easier to just configure the router and firewall on the server side once for passive mode, than to configure the client's router/firewall for each individual client in active mode. That is why passive mode is recommended.


Da Regel en server leverer en tjeneste for sukkerærter brugere, ER DET Langt nemmere ved bare Konfigureret routeren OG firewall in Serveren side en bande for passiv tilstand, slutter kl Konfigureret kundens router / firewall til hver Enkelt Kunde i Aktiv tilstand. Derfor ER passiv tilstand anbefales.
==== NAT routers ====


==== NAT routere ====
For most broadband users, there will be a NAT (Network Address Translation) router between their computer and the internet.  This NAT router may be a standalone router device (perhaps a wireless router), or it could be built into a DSL modem or Cable modem. In a NAT environment, all systems behind the NAT router form a ''Local Area Network (LAN)'' and each system in the LAN has a local IP address (recognizable as four small numbers separated by dots). The NAT router itself has a local IP address as well. In addition to that, the NAT router also has an external IP address under which it is known to the internet. The internal IP addresses are only valid inside the LAN, for a remote system they would make no sense.
Example:


For de fleste bredbåndsbrugere, være OG VII, der en NAT (Network Address Translation) router mellem deres computer Internettet. Denne NAT router KAN være en standalone router Enhed (Maske en Trådløs router), Eller DET kunne være indbygget i en DSL Eller kabelmodem. Jeg DA NAT Miljø, omhu Systemer taske NAT router form en''Local Area Network (LAN)''OG hvert system i LAN Advocate en Lokal IP-Adresse (genkendes SOM brand Små tal adskilt AF punktummer). NAT router SELV Advocate en Lokal IP Adresse. Hertil Kommer in også NAT routeren Advocate en ekstern IP Adresse, hvorunder DET ER kendt AF Internettet. De Interne IP Adresser er Kun gyldige inden for internet, for en ekstern system, de Ville ikke give Nøgen mening.
[[Image:FTP2.png|center]]
Eksempel:


[[Billede: FTP2.png | center]]


Assume a server is behind a NAT router. Imagine what happens if a client requests passive mode but the server does not know the external IP address of the NAT router. So the server sends its internal address to the client. In that case two things could happen:
* If the client is not behind a NAT, client would abort since address is invalid.
* If client is behind a NAT, the address given by the server might be the same as a system in the client's own LAN.
Obviously, in both cases passive mode would be impossible.


Antager en server er udgøre en NAT router. Forestil dig, Finde sker der, hvis en Kunde anmoder passiv tilstand, mænd Serveren ikke kender eksterne IP Adresse NAT router. SA Serveren afsender sinus Interne Adresse Til klienten. I SA Fald Til tinget KAN SKE:
So if a server is behind a NAT router, it needs to know the external IP address of the router in passive mode. In that case, the server sends the router's external address to the client. The client then establishes a connection to the NAT router, which in turn routes the connection to the server.
* Hvis klient er ikke taske da NAT, VII, kunden afbryde da-Adresse ER ugyldig.
* Hvis klient er taske da NAT, anførte Adresse AF Serveren KAN være de samme SOM et system i kundens eget LAN.
DET ER klart, i begge tilfælde passiv tilstand Ville være umuligt.
 
SA hvis en server er udgøre en NAT router, ER DET nødvendigt in Kende den eksterne IP Adresse i routeren i passiv tilstand. I SA Fald afsender Serveren routerens eksterne Adresse Til klienten. Klienten derefter etablerer en forbindelse Til NAT router, SOM Igen Ruter forbindelsen Til Serveren.


=== Firewalls ===
=== Firewalls ===


Formålet MED en''Personal Firewall''er på beskytte brugeren FRA sikkerhedshuller i operativsystemet Eller applikationer, der kører in DET. Over Internettet. Malware SOM f.eks Orm forsøger at udnytte fejlene Til at inficere DIT system Firewalls KAN medvirke Til at forebygge en Sadan infektion.
The purpose of a ''Personal Firewall'' is to protect the user from security vulnerabilities in the operating system or the applications running on it. Over the internet, malware like for example worms try to exploit these flaws to infect your system. Firewalls can help to prevent such an infection.


Især hvis du bruger FTP, KAN firewall brugere undertiden se indlæg SOM dette FRA deres firewall:
Especially if using FTP, firewall users might sometimes see messages like this from their firewall:
Trojan Netbus blokeret in Porten 12345 op. Bruges AF FileZilla.exe
Trojan Netbus blocked on port 12345 used by FileZilla.exe


Jeg næsten Alle tilfælde ER DET en'''falsk alarm'''. Enhver program KAN vælge en havn DET VII, har for Kommunikation over Internettet. SA DET KAN SKE på FileZilla sker i vælge en havn, der i øvrigt standard havn i en trojan Eller Anden ondsindet software. SA længe du henter FileZilla FRA den officielle hjemmeside, DET ER REN eventuelle malware.
In almost all cases, this is a '''false alarm'''. Any program can choose any port it wants for communication over the internet. So it can happen that FileZilla happens to choose a port that is incidentally the default port of a trojan or some other malware. As long as you download FileZilla from the official website, it is clean of any malware.


=== Ondskabsfuld routere, firewalls OG data sabotage ===
=== Malicious routers, firewalls and data sabotage ===


Nogle routere OG firewalls foregive at be smart. De analysere forbindelser, OG hvis de tror DET ER FTP, de tavse ændre data, der udveksles mellem klient OG server. Hvis brugeren ikke Advocate udtrykkeligt slået This page Funktion, This page adfærd ER andet ungdomsromanen Intet Andet end-data sabotage OG KAN forårsage forskellige problemer.
Some routers and firewalls pretend to be smart. They analyze the connections and if they think it is FTP, they silently change the data exchanged between client and server. If the user has not explicitly enabled this feature, this behavior is nothing else than data sabotage and can cause various problems.


For at illustrere MED et Eksempel, antage, at der ER en klient bag en NAT router forsøger på oprette forbindelse Til Serveren. Lad os yderligere antage, at This page Kunde ikke vide DET ER taske da NAT OG ønsker at Bruge Aktiv tilstand. SA DET afsender PORT Kommando MED sidde Lokale, unroutable IP-Adresse Til Serveren:
To illustrate with an example, assume there is a client behind a NAT router trying to connect to the server. Let's further assume that this client does not know it is behind a NAT and wants to use active mode. So it sends the PORT command with his local, unroutable IP address to the server:


PORT 10,0,0,1,12,34
PORT 10,0,0,1,12,34


Ovenstående Kommando fortæller Serveren på forbinde Til den Adresse 10.0.0.1 in port 12 * 256 34 = 3,106
The above command tells the server to connect to the address 10.0.0.1 on port 12*256+34 = 3106


NAT router ser dette OL lydløst ændrer kommandoen Til at omfatte den eksterne IP-Adresse. Samtidig VII, NAT-router også oprette en Midlertidig port forwarding for FTP-session, eventuelt in en buffer port SELV:
The NAT router sees this and silently changes the command to include the external IP address. At the same time, the NAT router will also create a temporary port forwarding for the FTP session, possibly on a different port even:


PORT 123,123,123,123,24,55
PORT 123,123,123,123,24,55


Nu ovenstående Kommando fortæller Serveren på forbinde Til den Adresse, 123.123.123.123 in port 24 * 256 55 = 6,199
Now the above command tells the server to connect to the address 123.123.123.123 on port 24*256+55 = 6199


Med This adfærd, KAN en NAT router da forkert konfigurerede klient Til at Bruge Aktiv tilstand.
With this behavior, a NAT router allows an improperly configured client to use active mode.


Mænd hvorfor ER DET dårligt? Hvis This Funktion is aktiveret som standard kan, Uden udtrykkelig brugerens samtykke, DET forårsager skab problemer. FTP-forbindelser i synd Mest basale form synes i Arbejde, mænd sa snart der ER nogle afvigelser FRA de grundlæggende tilfældet, VII, alt mislykkes, forlader brugeren Helt forvirrede:
But why is this bad? If this feature is enabled by default, without explicit user consent, it causes lots of problems. FTP connections in its most basic form appear to work, but as soon as there's some deviation from the basic case, everything will fail, leaving the user totally stumped:


* Den NAT-router blindt antager nogle forbindelse bruger FTP baseret in Kriterier SOM Mål havne Eller den oprindelige server svar:
* The NAT router blindly assumes some connection uses FTP based on criteria like target ports or the initial server response:
** Der ER Ingen Garanti for, at den anvendte TAGER ER virkelig FTP, mænd den ER opdaget SOM Sadan (også kaldet''falsk positive''). Selvom usandsynligt, ER DET tænkeligt, at der i en Kommende revision AF FTP-protokollen, KAN syntaksen for PORT Kommando förändring. En NAT router ændre PORT Kommando VII, tavst ændre Ting, DET ikke støtte OG dermed Bryde forbindelsen.
** There is no guarantee that the used protocol really is FTP, yet it is detected as such (also called ''false positive''). Though unlikely, it is conceivable that in a future revision of the FTP protocol, the syntax of the PORT command might change. A NAT router modifying the PORT command would silently change things it does not support and thus break the connection.
** Routeren's TAGER opdagelse KAN undlade at anerkende en FTP-forbindelse (en''falsk negative''). Lad os antage, at routeren Kun ser in Malet Havn, OG hvis DET ER 21, den opdager DET SOM FTP. SOM Sadan Aktiv tilstand forbindelser MED EN forkert konfigurerede klient Til Kram, der kører in port 21 VII, Arbejde, mænd forbindelser Til André Netværksenheder in ikke-standard havnene VII, mislykkes.
** The router's protocol detection can fail to recognize an FTP connection (a ''false negative''). Let's assume the router only looks at the target port, and if it is 21, it detects it as FTP. As such, active mode connections with an improperly configured client to servers running on port 21 will work, but connections to other servers on non-standard ports will fail.
* Selvfølgelig KAN da NAT router ikke længere manipulere MED forbindelsen, sa snart en krypteret FTP-session Brugge Igen forlader brugeren clueless hvorfor DET virker for normal FTP mænd ikke for krypteret FTP.
* Obviously, a NAT router can no longer tamper with the connection as soon as an encrypted FTP session is used, again leaving the user clueless why it works for normal FTP but not for encrypted FTP.
* Antag en klient bag en NAT router afsender "PORT 10,0,0,1,12,34". Hvordan NAT router kender kunden is forkert konfigureret? DET ER også muligt, at kunden ER konfigureret korrekt, mænd blottet ønsker på indlede en FXP (server Til server) overførsel mellem Serveren, den ER tilsluttet OG en buffer Maskine i serverens eget Lokale Netværk.
* Assume a client behind a NAT router sends "PORT 10,0,0,1,12,34". How does the NAT router know the client is improperly configured? It is also possible that the client is properly configured, yet merely wants to initiate an FXP (server-to-server) transfer between the server it is connected to and another machine in the server's own local network.


SOM du KAN SE, der TAGER særlige træk aktiveret i en NAT-router som standard kan is en dårlig tinget. En gud NAT router bor Altid be fuldt TAGER-agnostisk. Romanen øh, hvis du SOM bruger udtrykkeligt Administrator slået This page Funktion Til, Vel vidende Allé huler konsekvenser.
As you can see, having protocol specific features enabled in a NAT router by default is a bad thing. A good NAT router should always be fully protocol-agnostic. The exception is if you as user have explicitly enabled this feature, knowing all its consequences.


SELV OM dette Afsnit is Kun drøftet kombinationen AF EN NAT router in klientsiden MED Aktiv tilstand, gælder directly Til en server bag en NAT router OG svaret in PASV kommandoen.
While this section only discussed the combination of a NAT router on the client side with active mode, the same applies to a server behind a NAT router and the reply to the PASV command.


== Opsætning FileZilla Client ==
== Setting up FileZilla Client ==


Hvis du kører FileZilla 3, anbefales det at køre guiden netværkskonfiguration. Det vil guide dig gennem de nødvendige skridt og kan teste din indstilling i sidste ende.
In case you're running FileZilla 3, it's recommended you run the network configuration wizard. It will guide you through the necessary steps and can test your configuration in the end.


Selvfølgelig, hvis du ønsker at forbinde til nogen server, skal du fortælle din firewall, FileZilla skal have lov til at åbne forbindelser til andre servere. De fleste normale FTP-servere bruger port 21, SFTP servere bruger port 22 og FTP over SSL / TLS (implicit mode) bruge port 990 som standard. Disse havne er ikke obligatoriske selv om, så det er bedst at give udgående forbindelser til vilkårlig fjernbetjening havne.
Obviously, if you want to connect to any server, you need to tell your firewall that FileZilla should be allowed to open connections to other servers. Most normal FTP servers use port 21, SFTP servers use port 22 and FTP over SSL/TLS (implicit mode) use port 990 by default. These ports are not mandatory though, so it's best to allow outgoing connections to arbitrary remote ports.


Da der er mange servere på internettet, er forkert og ikke not support både transfer modes, er anbefales det at du konfigurere både transfer modes på din ende.
Since there are many servers on the internet that are misconfigured and don't support both transfer modes, it's recommended that you configure both transfer modes on your end.


=== Passive mode ===
=== Passive mode ===


Hvis kunden ikke Advocate Kontrol over, Finde port Serveren vælger Til dataforbindelsen i passiv tilstand, sa i Bruge passiv tilstand, ER du nødt Til at tillade udgående forbindelser Til Alle havne i din firewall.
The client has no control over what port the server chooses for the data connection in passive mode, so in order to use passive mode, you'll have to allow outgoing connections to all ports in your firewall.


=== Aktiv tilstand ===
=== Active mode ===


Jeg Aktiv tilstand, Åbner kunden en sokkel OG Venter Pa ved Serveren etablere overførslen forbindelse.
In active mode, the client opens a socket and waits for the server to establish the transfer connection.


SOM standard, spørger FileZilla Client operativsystemet for maskinens IP-Adresse OG for en fre portnummer. This Konfiguration KAN Kun fungere, hvis du ER Forbundet Til internettet Direkte Uden NAT router, OG hvis du Advocate lør din firewall Til at tillade indgående forbindelser in Alle havne blotte udgangen 1024.
By default, FileZilla Client asks the operating system for the machine's IP address and for a free port number. This configuration can only work if you are connected to the internet directly without any NAT router and if you have set your firewall to allow incoming connections on all ports greater than 1024.


Hvis du Administrator en NAT router, SKAL du fortælle FileZilla din eksterne IP-Adresse Eller Aktiv tilstand forbindelser VII, ikke Arbejde MED Netværksenheder Uden for DIT Lokale Netværk:
If you have a NAT router, you need to tell FileZilla your external IP address or active mode connections will not work with servers outside your local network:
* Hvis du Advocate en fast ekstern IP-Adresse, KAN du indtaste den i indstillingsdialogen AF FileZilla.
* If you have a fixed external IP address, you can enter it in the configuration dialog of FileZilla.  
* Hvis du Advocate en Dynamisk IP-Adresse, KAN du belaesset FileZilla fa din eksterne IP Adresse FRA EN Saerlig hjemmeside automatisk, hver bande du starter FileZilla. Ligegyldigt hvilken version AF FileZilla Administrator du Ingen oplysninger VII, blive forelagt Til This page hjemmeside.
* If you have a dynamic IP address, you can let FileZilla obtain your external IP address from a special website automatically each time you start FileZilla. No matter what version of FileZilla you have, no information will be submitted to that website.
Hvis du ER i tvivl, sa brug den Anden mulighed.
If in doubt, use the second option.


Hvis du ikke ønsker at tillade indgående forbindelser in Allé havne, Eller hvis du Advocate en NAT router, du SKAL fortælle FileZilla Til at Bruge en række særlige porte Til Aktiv tilstand forbindelser. Du VII, har Til at åbne disse porte i din firewall. Hvis du Administrator en NAT router, SKAL du sende disse porte Til den Lokale Maskine FileZilla is installeret in. Afhængig AF DIN router model, KAN du Docenter sende en række havne Eller du SKAL sende Allé havne individuelt.
If you do not want to allow incoming connections on all ports, or if you have a NAT router, you need to tell FileZilla to use a specific range of ports for active mode connections. You will have to open these ports in your firewall. If you have a NAT router, you need to forward these ports to the local machine FileZilla is installed on. Depending on your router model, you can either forward a range of ports or you need to forward all ports individually.


Gyldig havne KAN be FRA 1 Til 65535, hund havne mindre udgangen 1024 ER reserveret Til Andre protokoller. DET ER ps på vælge havne større slutningen Eller LIG Til 50.000 for Aktiv tilstand FTP. In Grund AF karakteren AF [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP] (Det underliggende transport-protokollen), KAN en havn ikke KAN genanvendes umiddelbart Morgen, Lys hver Enkelt forbindelse. Derfor rækken AF havne, bor ikke be for lille Eller overførsler AF sukkerærter Små filer KAN mislykkes. En række in 50 havne bor be tilstrækkeligt i de fleste tilfælde.
Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports greater than or equal to 50000 for active mode FTP. Due to the nature of [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP] (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases.


<div align="center">
<div align="center">
[[Billede: Settings_activemode.png | Screenshot FRA indstillingsdialogen AF FileZilla 3, der viser konfigurationen side for Aktiv tilstand.]]
[[Image:Settings_activemode.png|Screenshot of settings dialog of FileZilla 3 showing configuration page for active mode.]]
</ Div>
</div>


== Opsætning FileZilla Server ==
== Setting up FileZilla Server ==


Opsætning af server er meget lig at oprette kunden, den vigtigste forskel er, at roller aktive og passive tilstand er vendt.
Setting up the server is very similar to setting up the client, the main difference is that the roles of active and passive mode are reversed.


En almindelig fejl gjort specielt fra brugere med NAT-routere er den måde, de test serveren. Hvis du er inden for dit lokale netværk, kan du kun teste ved hjælp af den lokale IP adresse på serveren. Brug af eksterne adresse fra indersiden vil sandsynligvis mislykkes. Dybest set en af følgende kunne ske, hvis du forsøger at oprette forbindelse via den eksterne adresse fra indersiden:
One common mistake done especially from users with NAT routers is the way they test the server. If you are within your local network, you can only test using the local IP address of the server. Using the external address from the inside will probably fail. Basically one of the following could happen if you try to connect using the external address from the inside:
* Det overraskende værker
* It surprisingly works
* Router blokerer adgangen til sin egen eksterne adresse fra indersiden som muligt angreb
* Router blocks access to its own external address from the inside as possible attack
* Router fremad forbindelse til din ISP som så blokerer det muligt angreb
* Router forwards connection to your ISP which then blocks it as possible attack
Selv om det virker, er der ingen garanti for en ekstern bruger virkelig kan oprette forbindelse til din server og overføre filer. Den eneste pålidelige måde er at forbinde til din server fra en ekstern system uden for dit LAN.
Even if that works, there is no guarantee an external user can really connect to your server and transfer files. The only reliable way is to connect to your server from an external system outside of your LAN.


=== Aktiv tilstand ===
=== Active mode ===


Bare Sorg FileZilla Server Får lov Til at etablere udgående forbindelser Til vilkårlige havne, da kunden Yes, SOM port Til brug.
Just make sure FileZilla Server is allowed to establish outgoing connections to arbitrary ports, since the client controls which port to use.  


For den Lokale Ende AF forbindelsen, forsøger FileZilla Server Til at Bruge en havn en mindre ende Hos kontrolgruppen forbindelse (f.eks port 20, hvis Serveren lytter in port 21). Mænd DET ER ikke Altid muligt, sa du SKAL ikke vandt in DET.
For the local end of the connection, FileZilla Server tries to use a port one less than that of the control connection (e.g. port 20 if server is listening on port 21). However this is not always possible, so don't rely on it.


=== Passive mode ===
=== Passive mode ===


Server Konfiguration ER meget LIG klient Konfiguration Til Aktiv tilstand.
Server configuration is very similar to client configuration for active mode.


Jeg passiv tilstand, Åbner Serveren et Stik, OG Venter in kunden på oprette forbindelse Til Det.
In passive mode, the server opens a socket and waits for the client to connect to it.


SOM standard, spørger FileZilla Server operativsystemet for maskinens IP-Adresse OG for en fre portnummer. This Konfiguration KAN Kun fungere, hvis du ER Forbundet Til internettet Direkte Uden NAT router, OG hvis du Advocate lør din firewall Til at tillade indgående forbindelser in Alle havne blotte udgangen 1024.
By default, FileZilla Server asks the operating system for the machine's IP address and for a free port number. This configuration can only work if you are connected to the internet directly without any NAT router and if you have set your firewall to allow incoming connections on all ports greater than 1024.


Hvis du Administrator en NAT router, SKAL du fortælle FileZilla Server din eksterne IP-Adresse Eller passiv mode forbindelser VII, ikke Arbejde MED kunder Uden for DIT Lokale Netværk:
If you have a NAT router, you need to tell FileZilla Server your external IP address or passive mode connections will not work with clients outside your local network:
* Hvis du Advocate en fast ekstern IP-Adresse, KAN du indtaste den i indstillingsdialogen AF FileZilla Server.
* If you have a fixed external IP address, you can enter it in the configuration dialog of FileZilla Server.  
* Hvis du Advocate en Dynamisk IP-Adresse, KAN mand belaesset FileZilla Server fa din eksterne IP Adresse FRA EN Saerlig hjemmeside automatisk. Bortset din version AF filezilla server, Ingen oplysninger VII, blive forelagt Til This page hjemmeside.
* If you have a dynamic IP address, you can let FileZilla Server obtain your external IP address from a special website automatically. Except your version of FileZilla Server, no information will be submitted to that website.
Hvis du ER i tvivl, sa brug den Anden mulighed.
If in doubt, use the second option.


Hvis du ikke ønsker at tillade indgående forbindelser in Allé havne, Eller hvis du Advocate en NAT router, SKAL du fortælle FileZilla Server på Bruge en bestemt række havne for passiv tilstand forbindelser. Du VII, har Til at åbne disse porte i din firewall. Hvis du Administrator en NAT router, SKAL du sende disse porte Til den Lokale Maskine FileZilla Server is installeret in. Afhængig AF DIN router model, KAN du Docenter sende en række havne Eller du SKAL sende Allé havne individuelt.
If you do not want to allow incoming connections on all ports, or if you have a NAT router, you need to tell FileZilla Server to use a specific range of ports for passive mode connections. You will have to open these ports in your firewall. If you have a NAT router, you need to forward these ports to the local machine FileZilla Server is installed on. Depending on your router model, you can either forward a range of ports or you need to forward all ports individually.


Gyldig havne KAN be FRA 1 Til 65535, hund havne mindre udgangen 1024 ER reserveret Til Andre protokoller. DET ER ps på vælge havne> = 50000 for passiv tilstand FTP. In Grund AF karakteren AF [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP] (Det underliggende transport-protokollen), KAN en havn ikke KAN genanvendes umiddelbart Morgen, Lys hver Enkelt forbindelse. Derfor rækken AF havne, bor ikke be for lille Eller overførsler AF sukkerærter Små filer KAN mislykkes. En række in 50 havne bor be tilstrækkeligt i de fleste tilfælde.
Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP] (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases.


<div align="center">
<div align="center">
[[Billede: Serversettings_passive.png | Screenshot FRA indstillingsdialogen AF FileZilla Server viser konfigurationen side for passiv tilstand.]]
[[Image:Serversettings_passive.png|Screenshot of settings dialog of FileZilla Server showing configuration page for passive mode.]]
</ Div>
</div>


== Fejlfinding ==
== Troubleshooting ==


Desværre er mange personlige firewalls og forbruger routere mangelfuld eller i nogle tilfælde, er endnu aktivt saboterer FTP (f.eks [http://www.gbnetwork.co.uk/smcftpd/ SMC Barricade V1.2]).
Unfortunately, many personal firewalls and consumer routers are flawed or in some cases, are even actively sabotaging FTP (e.g. [http://www.gbnetwork.co.uk/smcftpd/ SMC Barricade V1.2]).


Først og fremmest skal du holde alt up-to-date. Dette omfatter firewall-software samt firmware version på din router.
First of all, you should keep everything up-to-date. This includes the firewall software as well as the firmware version in your router.


Hvis det ikke hjælper, kan du prøve at'''afinstallere''' din firewall for at se hvad der sker. Du skal blot deaktivere din firewall kan ikke arbejde, da nogle firewalls ikke kan være fuldt uarbejdsdygtig.
If that does not help, you might want to try to '''uninstall''' your firewall to see what happens. Simply disabling your firewall might not work, as some firewalls cannot be fully disabled.


Hvis det er muligt, forsøge at oprette forbindelse direkte til internettet uden en router.
If possible, try to connect directly to the internet without a router.


Hvis du forsøger at sætte en server og det virker fint i din internet, men kan ikke nås udefra, kan du prøve at ændre den aflytning havneby. Nogle internetudbydere kan ikke lide sine kunder til at være vært servere og blokere havne <1024.
If you are trying to setup a server and it works fine within your LAN but is not reachable from the outside, try changing the listening port. Some ISPs don't like its customers to host servers and block ports < 1024.


Et andet problem kan være, hvis du er vært for en FTP-server på standard port 21. Der kan være en firewall ISP side af din forbindelse der kan gøre underlige ting som at skifte havn for PASV kommandoer. Prøv at bruge en anden ikke-standard port til din FTP server.
Another problem might be if you are hosting an FTP server on default port 21. There might be a firewall at the ISP side of your connection which can do odd things like changing the port for PASV commands. Try using another non-default port for your FTP server.


Hvis du støder på "kan ikke åbne dataforbindelse" på stikprøvebasis, dvs ftp klient kan oprette forbindelse til ftp-serveren uden problem for mange forbindelser, indtil den støder på dette problem, kan man mulig grund være din klient-pc anti-virus scanner er konfigureret til blokere for udgående forbindelser på visse intervaller af havne. Når din ftp-forbindelser kører på PASV mode, klientsiden udgående porte er udvalgt tilfældigt, og når det rammer dem, der forbydes havne, vil du støde på dit problem. At identificere problemet, kan du læse din anti-virus logge på den pågældende kunde. Generelt software f.eks PC firewall osv., der kan blokere bestemte vifte af udgående porte kan forårsage lignende ftp sorg.
If you encounter "cannot open data connection" on a random basis, i.e. the ftp client can connect to the ftp server without problem for many connections until it encounters this problem, one possible reason may be your client PC anti-virus scanner being configured to block outgoing connections on certain ranges of ports. When your ftp connections are running on pasv mode, the client side outgoing ports are selected randomly and when it hits those prohibited ports, you will encounter your problem. To identify this problem, read your anti-virus log on that client. In general, any software e.g. PC firewall, etc that can block certain range of outgoing ports can cause similar ftp grief.


=== Timeouts in butik filer ===
=== Timeouts on large files ===


Hvis du KAN overføre Små filer fint, mænd overførsel AF større filer Ende MED EN timeout, sa ER der en knækket router OG / Eller firewall mellem klienten OG den server, der ER årsag dette problem.
If you can transfer small files just fine, but transfers of larger files end with a timeout, then there is a broken router and/or firewall between the client and the server that is causing this problem.


SOM nævnt ovenfor, FTP bruger til TCP-forbindelser: En Kontrol tilslutning Til at fremsætte kommandoer OG modtage svar Samt en dataforbindelse Til den faktiske filoverførsler. DET ER karakteren AF FTP, på under en overførsel Kontrol forbindelsen forbliver Helt Stille.
As mentioned above, FTP uses two TCP connections: One control connection to submit commands and to receive replies as well as one data connection for the actual file transfers. It is the nature of FTP that during a transfer the control connection stays completely idle.


TCP-Specifikationer ikke fastsat en grænse for, hvor lang TID en forbindelse KAN blive ledig. Medmindre DET udtrykkeligt Lukket da forbindelse antages på forblive i live in ubestemt TID. Skab routere OG firewalls hund automatisk lukke tomgang forbindelser Morgen, Lys et stykke TID. Finde værre øh, de fleste AF tiden ikke engang anmelde endpoints AF This page, i stedet de bare tavst droppe forbindelsen. SA til FTP betyder dette, at jeg Løbet AF en lang overføre kontrollen forbindelsen KAN fa droppet, mænd hverken klient Eller server fa på vide OM DET. SA nar Alle data is blevet overført, Serveren skal stadig mener Kontrol-forbindelsen is i live OG afsender overførsel bekræftelse svar i Løbet AF de Kontrol-forbindelsen. Ligeledes kunden Samt tænker Yes forbindelsen is i live OG Venter in svar FRA Serveren. Mænd da kontrollen forbindelse tavst FIK tabes, dette svar not combine Kommer i Sidste Ende medfører en timeout.
The TCP specifications do not set a limit on the amount of time a connection can stay idle. Unless explicitly closed a connection is assumed to remain alive indefinitely. Many routers and firewalls however automatically close idle connections after a while. Worse, they most of the time don't even notify the endpoints of this, instead they just silently drop the connection. So for FTP this means that during a long transfer the control connection can get dropped, but neither client nor server get to know about it. So when all data has been transferred, the server still thinks the control connection is alive and sends the transfer confirmation reply over the control connection. Likewise, the client as well thinks the control connection is alive and waits for the reply from the server. But since the control connection got silently dropped, this reply never arrives, eventually causing a timeout.


Jeg et forsøg in på at miste dette problem, bl.a. TCP Specifikationer en sted til sende keep-alive pakker in buffer gjort ledig TCP-forbindelser, Til at fortælle Alle de involverede medindehaver på forbindelsen ER stadig i live OG havde brug for. Mænd den TCP Specifikationer også gore DET meget klart, at disse keep-alive pakker bor ikke sendes oftere ende en bande hver buffer tid. Således tilsat tolerance for netværksventetid, KAN forbindelser Ophold tomgang i op Til 2 timer OG 4 minutter.
In an attempt to solve this problem, the TCP specifications include a way to send keep-alive packets on otherwise idle TCP connections, to tell all involved parties that the connection is still alive and needed. However, the TCP specifications also make it very clear that these keep-alive packets should not be sent more often than once every two hours. Thus, with added tolerance for network latency, connections can stay idle for up to 2 hours and 4 minutes.


Problemet ER, at skab routere OG firewalls drop forbindelser, der Order været inaktiv i mindre ende 2 timer OG 4 minutter. En Sadan opførsel is på krænke TCP Specifikationer [http://filezilla-project.org/specs/rfc5382.txt RFC 5382] gor dette meget klart. Med André ORD, omhu routere OG firewalls, der ER faldet tomgang tilslutninger for tidligt brydes de bare ikke KAN benyttes i længere FTP overførsler. Desværre Producenter AF forbruger-grade router OG firewall sælgere ligeglade Specifikationer, alt, Finde de bekymrer signa Kun OM på fa spise Penge, OG dermed Kun KAN levere næsten arbejder laveste Kvalitet junk.
The problem is that many routers and firewalls drop connections that have been idle for less than 2 hours and 4 minutes. Such behavior is violating the TCP specifications, [http://filezilla-project.org/specs/rfc5382.txt RFC 5382] makes this very clear. In other words, all routers and firewalls that are dropping idle connections too early are broken, they just cannot be used for long FTP transfers. Unfortunately manufacturers of consumer-grade router and firewall vendors do not care about specifications, all they care about is getting your money and thus only deliver barely working lowest quality junk.


For at tabe dette problem Skal du afinstallere et berørt firewall OG erstatte defekte router MED EN Kvalitet en.
To solve this problem you need to uninstall any affected firewall and replace any faulty router with a quality one.


== Opsætning FileZilla server med Windows Firewall ==
== Setting up FileZilla Server with Windows Firewall ==


Hvis du har problemer med at oprette FileZilla Server til at køre bag Windows Firewall (specifikt den vinder på "List" og kunden modtager en "Kunne ikke modtage katalogliste" fejl), skal du tilføje FileZilla Server ansøgning til Windows Firewall's undtagelser liste. Det kan du gøre ved at følge disse trin:
If you are having problems with setting up FileZilla Server to run behind Windows Firewall (specifically, it fails on "List" and the client receives a "Failed to receive directory listing" error), you must add the FileZilla Server application to Windows Firewall's Exceptions list. To do this, follow these steps:


# Åbn Windows Firewall under Kontrolpanel.
# Open Windows Firewall under Control Panel.
# Hvis du bruger Vista, klik på "Skift indstillinger"
# If using Vista, click "Change Settings"
# Vælg "Undtagelser" fanen.
# Select the "Exceptions" tab.
# Klik på "Tilføj program ..."
# Click "Add program..."
# Du ikke vælge "FileZilla Server Interface" fra listen, i stedet klikke på "Browse ..."
# Do NOT select "FileZilla Server Interface" from the list, instead click on "Browse..."
# Find den mappe du har installeret FileZilla Server til (normalt "C: \ Programmer \ FileZilla Server \")
# Locate the directory you installed FileZilla Server to (normally "C:\Program Files\FileZilla Server\")
# Dobbeltklik eller vælg "FileZilla server.exe" og tryk åben (igen, IKKE "FileZilla Server Interface.exe")
# Double click or select "FileZilla server.exe" and press open (Once again, NOT "FileZilla Server Interface.exe")
# Vælg "FileZilla server.exe" fra listen og klik på "Ok"
# Select "FileZilla server.exe" from the list and click "Ok"
# Kontroller, at "FileZilla server.exe" er føjet til listen over undtagelser, og at det har en markering i boksen ved siden af
# Verify that "FileZilla server.exe" is added to the exceptions list and that it has a check mark in the box next to it
# Tryk på "Ok" for at lukke vinduet
# Press "Ok" to close the window


Passive mode bør nu arbejde. Hvis du stadig har problemer med at forbinde (fra en anden computer eller uden for nettet) kontrollere din router indstillinger eller forsøge at tilføje portnummer i [[Windows]] Firewall indstillinger ligger i fanen Undtagelser.
Passive mode should now work. If you are still having problems connecting (from another computer or outside the network) check your router settings or try to add the port number in the [[Windows]] Firewall settings located in the Exceptions tab.


Se Microsoft KB-artikel 931130 om at køre FileZilla med "Routing and Remote Access" eller "Application Layer Gateway" service aktiveret.
See the Microsoft kb article 931130 about running FileZilla with the "Routing and Remote Access" or the "Application Layer Gateway" service enabled.
http://support.microsoft.com/kb/931130
http://support.microsoft.com/kb/931130

Revision as of 18:19, 19 May 2010

Setting up network components for FTP is not trivial for use outside your LAN (Local Area Network). Since so many firewalls and routers exist, it is impractical to give detailed step-by-step instructions suitable for every user. To configure FileZilla and the routers and/or firewalls involved, it is important to understand the basics of the FTP protocol. This documentation describes the history of the FTP protocol and how some aspects of the protocol work. Read it carefully, it will save you a lot of trouble setting up FTP.

Background

An overview of the historical and technical background of the FTP protocol. For detailed in-depth information see specifications.

Historical Background

In the fast living world of the internet, the File Transfer Protocol is not just old, it's ancient. Early drafts of the protocol go back as far as 1971, with the current specifications being from 1985. The protocol might even be older than you!

Back then, the Internet was mainly used by universities and research centers. The community was small, many users knew each other and all were collaborating together. The internet was a friendly, trusting place. Security was not a concern.

Since then, a lot has changed. The Internet is now ubiquitous, with millions of users communicating with each other in many different ways. The internet is now a hostile place. The availability and openness has attracted malicious users who exploit design limitations, incomplete implementations, bugs and the inexperience of other users. A well-known software company located in Redmond, WA certainly played a part in this.

Several attempts have been made to address these problems:

  • NAT (Network Address Translation) routers. Many of the hosts and routers on the internet use the IPv4 protocol. The number of hosts connected to the internet is reaching IPV4's design limit for the number of addresses(IPv6 is designed to relieve this). NAT routers allow multiple systems within a LAN to connect to the outside world with one external IP address.
  • Personal firewalls try to protect personal computers from attacks by malicious users.

Unfortunately, both NAT and personal firewalls conflict with FTP more often than not. To make things worse, some of them even have flaws themselves, causing additional problems regarding FTP.

Technical background

What distinguishes FTP from most other protocols is the use of secondary connections for file transfers. If you connect to an FTP server, you establish the so-called control connection, over which the FTP commands and their replies are transferred. In order to transfer a file or a directory listing, the client sends some command over the control connection to establish the data connection.

This data connection can be established in two different ways, called active mode and passive mode.

In passive mode, which is the recommended mode, the client sends the PASV command to the server, and the server responds with an address. The client then issues a command to transfer a file or to get a directory listing and establishes a secondary connection to the address returned by the server.

In active mode, the client opens a socket on the local machine, and tells its address to the server using the PORT command. Once the client issues a command to transfer a file or listing, the server will connect to the address provided by the client.

In both cases, the actual file or listing is then transferred over the data connection.

In general, establishing outgoing connections requires less configuration on the routers/firewalls involved than establishing incoming connections. In passive mode, the connection is outgoing on the client side and incoming on the server side. In active mode however, the roles are reversed: The data connection is incoming on the client side and outgoing on the server side. Please note that this only makes a difference for connection establishment: Once the data connection gets established it can be used for either up- or downloads.

A common network setup might look like this:

FTP1.png


So in passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side however, only outgoing connections have to be allowed, which will already be the case most of the time.

Analogous in active mode, the router and firewall on the client side need to be configured to accept and forward incoming connections. Apparently on the server side, only outgoing connections have to be allowed.

Since usually one server provides a service for many users, it is far easier to just configure the router and firewall on the server side once for passive mode, than to configure the client's router/firewall for each individual client in active mode. That is why passive mode is recommended.

NAT routers

For most broadband users, there will be a NAT (Network Address Translation) router between their computer and the internet. This NAT router may be a standalone router device (perhaps a wireless router), or it could be built into a DSL modem or Cable modem. In a NAT environment, all systems behind the NAT router form a Local Area Network (LAN) and each system in the LAN has a local IP address (recognizable as four small numbers separated by dots). The NAT router itself has a local IP address as well. In addition to that, the NAT router also has an external IP address under which it is known to the internet. The internal IP addresses are only valid inside the LAN, for a remote system they would make no sense. Example:

FTP2.png


Assume a server is behind a NAT router. Imagine what happens if a client requests passive mode but the server does not know the external IP address of the NAT router. So the server sends its internal address to the client. In that case two things could happen:

  • If the client is not behind a NAT, client would abort since address is invalid.
  • If client is behind a NAT, the address given by the server might be the same as a system in the client's own LAN.

Obviously, in both cases passive mode would be impossible.

So if a server is behind a NAT router, it needs to know the external IP address of the router in passive mode. In that case, the server sends the router's external address to the client. The client then establishes a connection to the NAT router, which in turn routes the connection to the server.

Firewalls

The purpose of a Personal Firewall is to protect the user from security vulnerabilities in the operating system or the applications running on it. Over the internet, malware like for example worms try to exploit these flaws to infect your system. Firewalls can help to prevent such an infection.

Especially if using FTP, firewall users might sometimes see messages like this from their firewall:

Trojan Netbus blocked on port 12345 used by FileZilla.exe

In almost all cases, this is a false alarm. Any program can choose any port it wants for communication over the internet. So it can happen that FileZilla happens to choose a port that is incidentally the default port of a trojan or some other malware. As long as you download FileZilla from the official website, it is clean of any malware.

Malicious routers, firewalls and data sabotage

Some routers and firewalls pretend to be smart. They analyze the connections and if they think it is FTP, they silently change the data exchanged between client and server. If the user has not explicitly enabled this feature, this behavior is nothing else than data sabotage and can cause various problems.

To illustrate with an example, assume there is a client behind a NAT router trying to connect to the server. Let's further assume that this client does not know it is behind a NAT and wants to use active mode. So it sends the PORT command with his local, unroutable IP address to the server:

PORT 10,0,0,1,12,34

The above command tells the server to connect to the address 10.0.0.1 on port 12*256+34 = 3106

The NAT router sees this and silently changes the command to include the external IP address. At the same time, the NAT router will also create a temporary port forwarding for the FTP session, possibly on a different port even:

PORT 123,123,123,123,24,55

Now the above command tells the server to connect to the address 123.123.123.123 on port 24*256+55 = 6199

With this behavior, a NAT router allows an improperly configured client to use active mode.

But why is this bad? If this feature is enabled by default, without explicit user consent, it causes lots of problems. FTP connections in its most basic form appear to work, but as soon as there's some deviation from the basic case, everything will fail, leaving the user totally stumped:

  • The NAT router blindly assumes some connection uses FTP based on criteria like target ports or the initial server response:
    • There is no guarantee that the used protocol really is FTP, yet it is detected as such (also called false positive). Though unlikely, it is conceivable that in a future revision of the FTP protocol, the syntax of the PORT command might change. A NAT router modifying the PORT command would silently change things it does not support and thus break the connection.
    • The router's protocol detection can fail to recognize an FTP connection (a false negative). Let's assume the router only looks at the target port, and if it is 21, it detects it as FTP. As such, active mode connections with an improperly configured client to servers running on port 21 will work, but connections to other servers on non-standard ports will fail.
  • Obviously, a NAT router can no longer tamper with the connection as soon as an encrypted FTP session is used, again leaving the user clueless why it works for normal FTP but not for encrypted FTP.
  • Assume a client behind a NAT router sends "PORT 10,0,0,1,12,34". How does the NAT router know the client is improperly configured? It is also possible that the client is properly configured, yet merely wants to initiate an FXP (server-to-server) transfer between the server it is connected to and another machine in the server's own local network.

As you can see, having protocol specific features enabled in a NAT router by default is a bad thing. A good NAT router should always be fully protocol-agnostic. The exception is if you as user have explicitly enabled this feature, knowing all its consequences.

While this section only discussed the combination of a NAT router on the client side with active mode, the same applies to a server behind a NAT router and the reply to the PASV command.

Setting up FileZilla Client

In case you're running FileZilla 3, it's recommended you run the network configuration wizard. It will guide you through the necessary steps and can test your configuration in the end.

Obviously, if you want to connect to any server, you need to tell your firewall that FileZilla should be allowed to open connections to other servers. Most normal FTP servers use port 21, SFTP servers use port 22 and FTP over SSL/TLS (implicit mode) use port 990 by default. These ports are not mandatory though, so it's best to allow outgoing connections to arbitrary remote ports.

Since there are many servers on the internet that are misconfigured and don't support both transfer modes, it's recommended that you configure both transfer modes on your end.

Passive mode

The client has no control over what port the server chooses for the data connection in passive mode, so in order to use passive mode, you'll have to allow outgoing connections to all ports in your firewall.

Active mode

In active mode, the client opens a socket and waits for the server to establish the transfer connection.

By default, FileZilla Client asks the operating system for the machine's IP address and for a free port number. This configuration can only work if you are connected to the internet directly without any NAT router and if you have set your firewall to allow incoming connections on all ports greater than 1024.

If you have a NAT router, you need to tell FileZilla your external IP address or active mode connections will not work with servers outside your local network:

  • If you have a fixed external IP address, you can enter it in the configuration dialog of FileZilla.
  • If you have a dynamic IP address, you can let FileZilla obtain your external IP address from a special website automatically each time you start FileZilla. No matter what version of FileZilla you have, no information will be submitted to that website.

If in doubt, use the second option.

If you do not want to allow incoming connections on all ports, or if you have a NAT router, you need to tell FileZilla to use a specific range of ports for active mode connections. You will have to open these ports in your firewall. If you have a NAT router, you need to forward these ports to the local machine FileZilla is installed on. Depending on your router model, you can either forward a range of ports or you need to forward all ports individually.

Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports greater than or equal to 50000 for active mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases.

Screenshot of settings dialog of FileZilla 3 showing configuration page for active mode.

Setting up FileZilla Server

Setting up the server is very similar to setting up the client, the main difference is that the roles of active and passive mode are reversed.

One common mistake done especially from users with NAT routers is the way they test the server. If you are within your local network, you can only test using the local IP address of the server. Using the external address from the inside will probably fail. Basically one of the following could happen if you try to connect using the external address from the inside:

  • It surprisingly works
  • Router blocks access to its own external address from the inside as possible attack
  • Router forwards connection to your ISP which then blocks it as possible attack

Even if that works, there is no guarantee an external user can really connect to your server and transfer files. The only reliable way is to connect to your server from an external system outside of your LAN.

Active mode

Just make sure FileZilla Server is allowed to establish outgoing connections to arbitrary ports, since the client controls which port to use.

For the local end of the connection, FileZilla Server tries to use a port one less than that of the control connection (e.g. port 20 if server is listening on port 21). However this is not always possible, so don't rely on it.

Passive mode

Server configuration is very similar to client configuration for active mode.

In passive mode, the server opens a socket and waits for the client to connect to it.

By default, FileZilla Server asks the operating system for the machine's IP address and for a free port number. This configuration can only work if you are connected to the internet directly without any NAT router and if you have set your firewall to allow incoming connections on all ports greater than 1024.

If you have a NAT router, you need to tell FileZilla Server your external IP address or passive mode connections will not work with clients outside your local network:

  • If you have a fixed external IP address, you can enter it in the configuration dialog of FileZilla Server.
  • If you have a dynamic IP address, you can let FileZilla Server obtain your external IP address from a special website automatically. Except your version of FileZilla Server, no information will be submitted to that website.

If in doubt, use the second option.

If you do not want to allow incoming connections on all ports, or if you have a NAT router, you need to tell FileZilla Server to use a specific range of ports for passive mode connections. You will have to open these ports in your firewall. If you have a NAT router, you need to forward these ports to the local machine FileZilla Server is installed on. Depending on your router model, you can either forward a range of ports or you need to forward all ports individually.

Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases.

Screenshot of settings dialog of FileZilla Server showing configuration page for passive mode.

Troubleshooting

Unfortunately, many personal firewalls and consumer routers are flawed or in some cases, are even actively sabotaging FTP (e.g. SMC Barricade V1.2).

First of all, you should keep everything up-to-date. This includes the firewall software as well as the firmware version in your router.

If that does not help, you might want to try to uninstall your firewall to see what happens. Simply disabling your firewall might not work, as some firewalls cannot be fully disabled.

If possible, try to connect directly to the internet without a router.

If you are trying to setup a server and it works fine within your LAN but is not reachable from the outside, try changing the listening port. Some ISPs don't like its customers to host servers and block ports < 1024.

Another problem might be if you are hosting an FTP server on default port 21. There might be a firewall at the ISP side of your connection which can do odd things like changing the port for PASV commands. Try using another non-default port for your FTP server.

If you encounter "cannot open data connection" on a random basis, i.e. the ftp client can connect to the ftp server without problem for many connections until it encounters this problem, one possible reason may be your client PC anti-virus scanner being configured to block outgoing connections on certain ranges of ports. When your ftp connections are running on pasv mode, the client side outgoing ports are selected randomly and when it hits those prohibited ports, you will encounter your problem. To identify this problem, read your anti-virus log on that client. In general, any software e.g. PC firewall, etc that can block certain range of outgoing ports can cause similar ftp grief.

Timeouts on large files

If you can transfer small files just fine, but transfers of larger files end with a timeout, then there is a broken router and/or firewall between the client and the server that is causing this problem.

As mentioned above, FTP uses two TCP connections: One control connection to submit commands and to receive replies as well as one data connection for the actual file transfers. It is the nature of FTP that during a transfer the control connection stays completely idle.

The TCP specifications do not set a limit on the amount of time a connection can stay idle. Unless explicitly closed a connection is assumed to remain alive indefinitely. Many routers and firewalls however automatically close idle connections after a while. Worse, they most of the time don't even notify the endpoints of this, instead they just silently drop the connection. So for FTP this means that during a long transfer the control connection can get dropped, but neither client nor server get to know about it. So when all data has been transferred, the server still thinks the control connection is alive and sends the transfer confirmation reply over the control connection. Likewise, the client as well thinks the control connection is alive and waits for the reply from the server. But since the control connection got silently dropped, this reply never arrives, eventually causing a timeout.

In an attempt to solve this problem, the TCP specifications include a way to send keep-alive packets on otherwise idle TCP connections, to tell all involved parties that the connection is still alive and needed. However, the TCP specifications also make it very clear that these keep-alive packets should not be sent more often than once every two hours. Thus, with added tolerance for network latency, connections can stay idle for up to 2 hours and 4 minutes.

The problem is that many routers and firewalls drop connections that have been idle for less than 2 hours and 4 minutes. Such behavior is violating the TCP specifications, RFC 5382 makes this very clear. In other words, all routers and firewalls that are dropping idle connections too early are broken, they just cannot be used for long FTP transfers. Unfortunately manufacturers of consumer-grade router and firewall vendors do not care about specifications, all they care about is getting your money and thus only deliver barely working lowest quality junk.

To solve this problem you need to uninstall any affected firewall and replace any faulty router with a quality one.

Setting up FileZilla Server with Windows Firewall

If you are having problems with setting up FileZilla Server to run behind Windows Firewall (specifically, it fails on "List" and the client receives a "Failed to receive directory listing" error), you must add the FileZilla Server application to Windows Firewall's Exceptions list. To do this, follow these steps:

  1. Open Windows Firewall under Control Panel.
  2. If using Vista, click "Change Settings"
  3. Select the "Exceptions" tab.
  4. Click "Add program..."
  5. Do NOT select "FileZilla Server Interface" from the list, instead click on "Browse..."
  6. Locate the directory you installed FileZilla Server to (normally "C:\Program Files\FileZilla Server\")
  7. Double click or select "FileZilla server.exe" and press open (Once again, NOT "FileZilla Server Interface.exe")
  8. Select "FileZilla server.exe" from the list and click "Ok"
  9. Verify that "FileZilla server.exe" is added to the exceptions list and that it has a check mark in the box next to it
  10. Press "Ok" to close the window

Passive mode should now work. If you are still having problems connecting (from another computer or outside the network) check your router settings or try to add the port number in the Windows Firewall settings located in the Exceptions tab.

See the Microsoft kb article 931130 about running FileZilla with the "Routing and Remote Access" or the "Application Layer Gateway" service enabled. http://support.microsoft.com/kb/931130