这是我的设置,
- 1 个 Windows 2008 R2 标准盒/安装 G6 FTP 服务器
- G6 配置为仅使用显式 SSL 连接 (TCP:990)
- 1 WatchGaurd Firebox 防火墙(服务器和内部网络之间)
因此,当我连接到 LAN 时,我可以毫无问题地连接并列出 FTPS 服务器上的目录(实际上,RDP 进入 Win 2k8 框,你明白了),但是当我尝试远程连接到 FTPS 站点时,我似乎无法列出我在服务器上配置的用户的主目录
13/05/29 20:00:48, 39, 98.208.xx.xx, , new connection from 98.208.xx.xx on 10.1.2.252:990 (Explicit SSL only)
13/05/29 20:00:48, 39, 98.208.xx.xx, , hostname resolved : c-98-208-xx-xx.hsd1.ca.comcast.net
13/05/29 20:00:48, 39, 98.208.xx.xx, , sending welcome message.
13/05/29 20:00:48, 39, 98.208.xx.xx, , 220 Gene6 FTP Server v3.10.0 (Build 2) ready...
13/05/29 20:00:48, 39, 98.208.xx.xx, , AUTH TLS
13/05/29 20:00:48, 39, 98.208.xx.xx, , 234 AUTH command ok; starting SSL connection.
13/05/29 20:00:48, 39, 98.208.xx.xx, , establishing encrypted session
13/05/29 20:00:48, 39, 98.208.xx.xx, , USER username
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 331 Password required for username.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PASS ****
13/05/29 20:00:48, 39, 98.208.xx.xx, username, logged in as "username".
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 230 User username logged in.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, SYST
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 215 UNIX Type: L8
13/05/29 20:00:48, 39, 98.208.xx.xx, username, FEAT
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 211-Extensions supported:
13/05/29 20:00:48, 39, 98.208.xx.xx, username, AUTH TLS
13/05/29 20:00:48, 39, 98.208.xx.xx, username, CCC
13/05/29 20:00:48, 39, 98.208.xx.xx, username, CLNT
13/05/29 20:00:48, 39, 98.208.xx.xx, username, CPSV
13/05/29 20:00:48, 39, 98.208.xx.xx, username, EPRT
13/05/29 20:00:48, 39, 98.208.xx.xx, username, EPSV
13/05/29 20:00:48, 39, 98.208.xx.xx, username, MDTM
13/05/29 20:00:48, 39, 98.208.xx.xx, username, MFCT
13/05/29 20:00:48, 39, 98.208.xx.xx, username, MFMT
13/05/29 20:00:48, 39, 98.208.xx.xx, username, MLST type*;size*;create;modify*;
13/05/29 20:00:48, 39, 98.208.xx.xx, username, MODE Z
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PASV
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PBSZ
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PROT
13/05/29 20:00:48, 39, 98.208.xx.xx, username, REST STREAM
13/05/29 20:00:48, 39, 98.208.xx.xx, username, SIZE
13/05/29 20:00:48, 39, 98.208.xx.xx, username, SSCN
13/05/29 20:00:48, 39, 98.208.xx.xx, username, TVFS
13/05/29 20:00:48, 39, 98.208.xx.xx, username, UTF8
13/05/29 20:00:48, 39, 98.208.xx.xx, username, XCRC "filename" SP EP
13/05/29 20:00:48, 39, 98.208.xx.xx, username, XMD5 "filename" SP EP
13/05/29 20:00:48, 39, 98.208.xx.xx, username, XSHA1 "filename" SP EP
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 211 End.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, CLNT FileZilla
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 Noted.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, OPTS UTF8 ON
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 UTF8 OPTS ON
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PBSZ 0
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 PBSZ=0
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PROT P
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 PROT command successful.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PWD
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 257 "/" is current directory.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, TYPE I
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 Type set to I.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PORT 98,208,65,76,34,82
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 Port command successful.
13/05/29 20:00:49, 39, 98.208.xx.xx, username, MLSD
13/05/29 20:01:01, 38, 98.208.xx.xx, username, 425 Cannot open data connection.
13/05/29 20:01:01, 38, 98.208.xx.xx, username, disconnected. (00d00:00:22)
13/05/29 20:01:10, 39, 98.208.xx.xx, username, 425 Cannot open data connection.
13/05/29 20:01:10, 39, 98.208.xx.xx, username, disconnected. (00d00:00:22)
现在,我很清楚 FTP 需要打开数据(TCP/20)和会话(TCP/21)端口,但考虑到我没有使用端口 21 - 考虑到我使用的是 SSL(FTPS)上的端口 990,我该如何确定我正在使用哪个数据端口?
我已经在面向 Internet 的防火墙和 Windows Server 防火墙上打开了端口 20、端口 21 和端口 990 进行测试,但通过 Internet 连接时仍然无法获取目录列表。我尝试在 Filezilla 中使用 ACTV 和 PASV 方法进行连接,但仍然没有成功。我记得以前这种问题通常是由于主动和被动连接造成的,但我记不清细节了。如果这全是由于主动或被动造成的,那么为什么我从网络的 LAN 端连接时能够获取目录列表?
与此用户共享的文件夹的权限已授予所有人完全权限,只是为了消除这个问题,即为什么我可以获得目录列表。
所以我的问题是 - 这到底是怎么回事?为什么我无法通过 WAN 建立数据连接,但可以通过 LAN 建立数据连接?这是否是由于显式 SSL 造成的?主动/被动问题?
以下是成功的本地 FTPS 会话的日志输出
13/05/29 20:16:32, 40, 10.1.2.252, , new connection from 10.1.2.252 on 10.1.2.252:990 (Explicit SSL only)
13/05/29 20:16:32, 40, 10.1.2.252, , hostname resolved : IMSSERVER.alpine.local
13/05/29 20:16:32, 40, 10.1.2.252, , sending welcome message.
13/05/29 20:16:32, 40, 10.1.2.252, , 220 Gene6 FTP Server v3.10.0 (Build 2) ready...
13/05/29 20:16:32, 40, 10.1.2.252, , AUTH TLS
13/05/29 20:16:32, 40, 10.1.2.252, , 234 AUTH command ok; starting SSL connection.
13/05/29 20:16:32, 40, 10.1.2.252, , establishing encrypted session
13/05/29 20:16:32, 40, 10.1.2.252, , USER username
13/05/29 20:16:32, 40, 10.1.2.252, username, 331 Password required for username.
13/05/29 20:16:32, 40, 10.1.2.252, username, PASS ****
13/05/29 20:16:32, 40, 10.1.2.252, username, logged in as "username".
13/05/29 20:16:32, 40, 10.1.2.252, username, 230 User username logged in.
13/05/29 20:16:32, 40, 10.1.2.252, username, CLNT FileZilla
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 Noted.
13/05/29 20:16:32, 40, 10.1.2.252, username, OPTS UTF8 ON
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 UTF8 OPTS ON
13/05/29 20:16:32, 40, 10.1.2.252, username, PBSZ 0
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 PBSZ=0
13/05/29 20:16:32, 40, 10.1.2.252, username, PROT P
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 PROT command successful.
13/05/29 20:16:32, 40, 10.1.2.252, username, PWD
13/05/29 20:16:32, 40, 10.1.2.252, username, 257 "/" is current directory.
13/05/29 20:16:32, 40, 10.1.2.252, username, TYPE I
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 Type set to I.
13/05/29 20:16:32, 40, 10.1.2.252, username, PORT 10,1,2,252,220,229
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 Port command successful.
13/05/29 20:16:32, 40, 10.1.2.252, username, MLSD
13/05/29 20:16:32, 40, 10.1.2.252, username, 150 Opening data connection for directory list.
13/05/29 20:16:32, 40, 10.1.2.252, username, establishing encrypted session
13/05/29 20:16:32, 40, 10.1.2.252, username, 226 Transfer ok.
答案1
我非常确定你的思路是对的,这是一个主动/被动问题。
当通过 NAT 路由器或防火墙时,您几乎总是需要使用被动方式。
被动 FTP 和 NAT/防火墙的技巧是,您需要指定 FTP 服务器可以使用的被动端口范围,然后将该端口范围通过防火墙转发到 FTP 服务器。
将 FTP 服务器设置为使用被动连接,并指定一组约 1000 个 TCP 端口。我们使用 50000-51000。
此外,FTP 服务器将/应该在其被动设置中有一个地方来指定外部 IP 地址(不确定 G6,但 FileZilla 也为动态 IP 提供 IP 解析器服务),这也需要提供。
您需要为 FTPS 打开端口 990,保留端口 21 仍然有用,因为它可用于 TLS 上的显式 FTP。端口 20 应该不需要。