FTP Active 模式为什么能工作？

xuchunyang · 2020 年6 月 5 日 07:22

FTP Active 模式下，客户端监听一个端口，服务器对这个端口发起连接，我试了下好像的确如此，ftp.gnu.org 貌似主动向我的电脑发起了连接：

14:59:32.149900 IP ftp.gnu.org.ftp-data > 192.168.2.101.58903: Flags [S], seq 1241450827, win 29200, options [mss 1440,sackOK,TS val 1000896802 ecr 0,nop,wscale 7], length 0

ftp ftp.gnu.org

~ $ ftp ftp.gnu.org
Connected to ftp.gnu.org.
220 GNU FTP server ready.
Name (ftp.gnu.org:xcy): anonymous
230-NOTICE (Updated October 13 2017):
230-
230-Because of security concerns with plaintext protocols, we still
230-intend to disable the FTP protocol for downloads on this server
230-(downloads would still be available over HTTP and HTTPS), but we
230-will not be doing it on November 1, 2017, as previously announced
230-here. We will be sharing our reasons and offering a chance to
230-comment on this issue soon; watch this space for details.
230-
230-If you maintain scripts used to access ftp.gnu.org over FTP,
230-we strongly encourage you to change them to use HTTPS instead.
230-
230----
230-
230-Due to U.S. Export Regulations, all cryptographic software on this
230-site is subject to the following legal notice:
230-
230-    This site includes publicly available encryption source code
230-    which, together with object code resulting from the compiling of
230-    publicly available source code, may be exported from the United
230-    States under License Exception "TSU" pursuant to 15 C.F.R. Section
230-    740.13(e).
230-
230-This legal notice applies to cryptographic software only. Please see
230-the Bureau of Industry and Security (www.bxa.doc.gov) for more
230-information about current U.S. regulations.
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
lrwxrwxrwx    1 0        0               8 Aug 20  2004 CRYPTO.README -> .message
-rw-r--r--    1 0        0           17864 Oct 23  2003 MISSING-FILES
-rw-r--r--    1 0        0            4178 Aug 13  2003 MISSING-FILES.README
-rw-r--r--    1 0        0            2991 Oct 03  2019 README
-rw-r--r--    1 0        0          405121 Oct 23  2003 before-2003-08-01.md5sums.asc
-rw-rw-r--    1 0        3003       266558 Jun 04 23:00 find.txt.gz
drwxrwxr-x  322 0        3003        12288 Feb 16 07:35 gnu
drwxrwxr-x    3 0        3003         4096 Mar 10  2011 gnu+linux-distros
-rw-rw-r--    1 0        3003       490132 Jun 04 23:00 ls-lrRt.txt.gz
drwxr-xr-x    3 0        0            4096 Apr 20  2005 mirrors
lrwxrwxrwx    1 0        0              11 Apr 15  2004 non-gnu -> gnu/non-gnu
drwxr-xr-x   91 0        0            4096 Jan 24  2019 old-gnu
lrwxrwxrwx    1 0        0               1 Aug 05  2003 pub -> .
drwxr-xr-x    2 0        0            4096 Nov 08  2007 savannah
drwxr-xr-x    2 0        0            4096 Aug 02  2003 third-party
drwxr-xr-x    2 0        0            4096 Apr 07  2009 tmp
-rw-rw-r--    1 0        3003       579355 Jun 04 23:00 tree.json.gz
drwxr-xr-x    2 0        0            4096 May 07  2013 video
-rw-r--r--    1 0        0            2830 Dec 18  2018 welcome.msg
226 Directory send OK.
ftp> quit

sudo tcpdump host ftp.gnu.org

~ $ sudo tcpdump host ftp.gnu.org
Password:
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
14:59:22.264321 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [P.], seq 3973045689:3973045705, ack 2440437920, win 2052, options [nop,nop,TS val 588267089 ecr 1000892404], length 16: FTP: USER anonymous
14:59:22.533091 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 16, win 227, options [nop,nop,TS val 1000894410 ecr 588267089], length 0
14:59:22.597714 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1:40, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 39: FTP: 230-NOTICE (Updated October 13 2017):
14:59:22.597750 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 40, win 2051, options [nop,nop,TS val 588267420 ecr 1000894431], length 0
14:59:22.599061 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 40:46, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 6: FTP: 230-
14:59:22.599066 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 46:115, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 69: FTP: 230-Because of security concerns with plaintext protocols, we still
14:59:22.599067 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 115:184, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 69: FTP: 230-intend to disable the FTP protocol for downloads on this server
14:59:22.599069 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 254:325, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 71: FTP: 230-will not be doing it on November 1, 2017, as previously announced
14:59:22.599070 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 184:254, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 70: FTP: 230-(downloads would still be available over HTTP and HTTPS), but we
14:59:22.599071 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 325:392, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 67: FTP: 230-here. We will be sharing our reasons and offering a chance to
14:59:22.599073 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 392:455, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 63: FTP: 230-comment on this issue soon; watch this space for details.
14:59:22.599074 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 455:461, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 6: FTP: 230-
14:59:22.599111 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 46, win 2051, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599133 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 115, win 2050, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599142 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 184, win 2049, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599232 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 184, win 2049, options [nop,nop,TS val 588267421 ecr 1000894431,nop,nop,sack 1 {254:325}], length 0
14:59:22.599249 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 325, win 2047, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599269 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 392, win 2046, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599277 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 455, win 2045, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599288 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 461, win 2045, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.940119 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 527:1279, ack 16, win 227, options [nop,nop,TS val 1000894493 ecr 588267420], length 752: FTP: 230-we strongly encourage you to change them to use HTTPS instead.
14:59:22.940158 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 461, win 2048, options [nop,nop,TS val 588267762 ecr 1000894431,nop,nop,sack 1 {527:1279}], length 0
14:59:23.306122 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 461:527, ack 16, win 227, options [nop,nop,TS val 1000894609 ecr 588267762], length 66: FTP: 230-If you maintain scripts used to access ftp.gnu.org over FTP,
14:59:23.306175 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1279, win 2035, options [nop,nop,TS val 588268127 ecr 1000894609], length 0
14:59:31.587645 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [P.], seq 16:43, ack 1279, win 2048, options [nop,nop,TS val 588276405 ecr 1000894609], length 27: FTP: PORT 192,168,2,101,230,23
14:59:31.833909 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 43, win 227, options [nop,nop,TS val 1000896741 ecr 588276405], length 0
14:59:31.834151 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1279:1330, ack 43, win 227, options [nop,nop,TS val 1000896741 ecr 588276405], length 51: FTP: 200 PORT command successful. Consider using PASV.
14:59:31.834246 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1330, win 2047, options [nop,nop,TS val 588276649 ecr 1000896741], length 0
14:59:31.834547 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [P.], seq 43:49, ack 1330, win 2048, options [nop,nop,TS val 588276649 ecr 1000896741], length 6: FTP: LIST
14:59:32.149900 IP ftp.gnu.org.ftp-data > 192.168.2.101.58903: Flags [S], seq 1241450827, win 29200, options [mss 1440,sackOK,TS val 1000896802 ecr 0,nop,wscale 7], length 0
14:59:32.150066 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [S.], seq 494738353, ack 1241450828, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 588276962 ecr 1000896802,sackOK,eol], length 0
14:59:32.150158 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 49, win 227, options [nop,nop,TS val 1000896812 ecr 588276649], length 0
14:59:32.456628 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1330:1369, ack 49, win 227, options [nop,nop,TS val 1000896881 ecr 588276649], length 39: FTP: 150 Here comes the directory listing.
14:59:32.456677 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1369, win 2047, options [nop,nop,TS val 588277268 ecr 1000896881], length 0
14:59:32.457203 IP ftp.gnu.org.ftp-data > 192.168.2.101.58903: Flags [.], ack 1, win 229, options [nop,nop,TS val 1000896881 ecr 588276962], length 0
14:59:32.457210 IP ftp.gnu.org.ftp-data > 192.168.2.101.58903: Flags [P.], seq 1:1335, ack 1, win 229, options [nop,nop,TS val 1000896881 ecr 588276962], length 1334
14:59:32.457213 IP ftp.gnu.org.ftp-data > 192.168.2.101.58903: Flags [F.], seq 1335, ack 1, win 229, options [nop,nop,TS val 1000896881 ecr 588276962], length 0
14:59:32.457260 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [.], ack 1, win 2052, options [nop,nop,TS val 588277268 ecr 1000896881], length 0
14:59:32.457284 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [.], ack 1335, win 2031, options [nop,nop,TS val 588277268 ecr 1000896881], length 0
14:59:32.457301 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [.], ack 1336, win 2031, options [nop,nop,TS val 588277268 ecr 1000896881], length 0
14:59:32.458293 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [F.], seq 1, ack 1336, win 2048, options [nop,nop,TS val 588277269 ecr 1000896881], length 0
14:59:32.701397 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1369:1393, ack 49, win 227, options [nop,nop,TS val 1000896957 ecr 588276649], length 24: FTP: 226 Directory send OK.
14:59:32.701443 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2047, options [nop,nop,TS val 588277510 ecr 1000896957], length 0
14:59:33.580121 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [F.], seq 1, ack 1336, win 2048, options [nop,nop,TS val 588278387 ecr 1000896881], length 0
14:59:35.013201 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [P.], seq 49:55, ack 1393, win 2048, options [nop,nop,TS val 588279820 ecr 1000896957], length 6: FTP: QUIT
14:59:35.321961 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 55, win 227, options [nop,nop,TS val 1000897597 ecr 588279820], length 0
14:59:35.322265 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [F.], seq 1407, ack 55, win 227, options [nop,nop,TS val 1000897597 ecr 588279820], length 0
14:59:35.322270 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1393:1407, ack 56, win 227, options [nop,nop,TS val 1000897597 ecr 588279820], length 14: FTP: 221 Goodbye.
14:59:35.322329 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280128 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:35.322354 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280128 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:35.569089 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897674 ecr 588279820], length 0
14:59:35.569141 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280374 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:35.572332 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897674 ecr 588279820], length 0
14:59:35.572385 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280377 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:35.618778 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [F.], seq 1, ack 1336, win 2048, options [nop,nop,TS val 588280423 ecr 1000896881], length 0
14:59:35.787693 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [F.], seq 1407, ack 56, win 227, options [nop,nop,TS val 1000897729 ecr 588279820], length 0
14:59:35.787731 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280591 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:35.817852 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897737 ecr 588279820], length 0
14:59:35.817911 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280621 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.032673 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897790 ecr 588279820], length 0
14:59:36.032739 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280835 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.063703 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897798 ecr 588279820], length 0
14:59:36.063744 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280866 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.345344 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897852 ecr 588279820], length 0
14:59:36.345398 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281147 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.345772 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897859 ecr 588279820], length 0
14:59:36.345795 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281147 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.369886 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [FP.], seq 1393:1407, ack 56, win 227, options [nop,nop,TS val 1000897875 ecr 588279820], length 14: FTP: 221 Goodbye.
14:59:36.369925 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281171 ecr 1000897875,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.652539 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897930 ecr 588279820], length 0
14:59:36.652579 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281453 ecr 1000897875,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.652831 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897930 ecr 588279820], length 0
14:59:36.652836 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897936 ecr 588279820], length 0
14:59:36.652859 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281453 ecr 1000897875,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.652876 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281453 ecr 1000897875,nop,nop,sack 1 {1407:1408}], length 0
^C
75 packets captured
120 packets received by filter
0 packets dropped by kernel

家庭网络不是没法接受外部发起的 TCP 连接吗？ftp.gnu.org.ftp-data 怎么可能主动向我的电脑的 58903 发起连接呢？

我的网络：

电信喵 -> 我的路由器 -> 我的电脑

还有电脑上监听 nc -l 0.0.0.0 55555，然后访问 http://我的公网IP地址:55555/ 到不到的了「我的路由器」？

Kermit95 · 2020 年6 月 5 日 08:53

应该是使用了某种内网穿透技术

Kermit95 · 2020 年6 月 5 日 09:30

目测不是，还是用户先发起的请求，你的 tcpdump 第一个数据包：

14:59:22.264321 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [P.], seq 3973045689:3973045705, ack 2440437920, win 2052, options [nop,nop,TS val 588267089 ecr 1000892404], length 16: FTP: USER anonymous

然后ftp服务器确认

14:59:22.597714 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1:40, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 39: FTP: 230-NOTICE (Updated October 13 2017):

rfc959:

230 User logged in, proceed.

The passive data transfer process (this may be a user-DTP or a second server-DTP) shall “listen” on the data port prior to sending a transfer request command.

xuchunyang · 2020 年6 月 5 日 11:45

ftp.gnu.org.ftp 代表 ftp.gnu.org:20 是 FTP 的控制连接，ftp.gnu.org.ftp-data 代表 ftp.gnu.org:21 是 FTP 的数据连接。FTP 同时需要 2 个连接。Active 模式下，客户端通过控制连接告知服务器可用端口，然后服务器对这个端口发起数据连接。

Youmu · 2020 年6 月 5 日 13:47

这只能猜测是NAT搞的鬼，而且在这个过程中仅针对地址用了转换(不涉及端口)

xuchunyang · 2020 年6 月 6 日 07:57

貌似的确是 NAT，有些匪夷所思，NAT 居然特意跑去分析 FTP（一个现在基本没人用的协议）的数据块，查找 PORT 命令，进行处理，仅仅是为了支持 Active 模式。

当穿越SNAT的时候，SNAT会把active ip address字段和active port字段改为转换后的IP和端口

https://blog.csdn.net/ever_peng/article/details/89022796#3.3、FTP主动模式穿越SNAT原理

Some routers and firewalls pretend to be smart. They analyze connections and, if they think they detect FTP, they silently change the data exchanged between client and server

Network Configuration - FileZilla Wiki

xuchunyang · 2020 年6 月 7 日 16:42

xuchunyang:

我的网络：
电信喵 -> 我的路由器 -> 我的电脑
还有电脑上监听 nc -l 0.0.0.0 55555 ，然后访问 http://我的公网IP地址:55555/ 到不到的了「我的路由器」？

再看了下路由器，拨号后电信给分配了私有地址 100.77.174.23，跟 127.0.0.1 一样外网没法访问，所以访问 http://我的公网IP地址:55555/ 只能到电信那里，到不了丢在我家的电信🐱。