Connections Number of VSFTP in Passive Mode
When working with passive mode, if we set pasv_max_port to 10100 and pasv_min_port to 10090. Does it mean the VSFTP server can only service 10 clients concurrently?
Can we set a same port number to both pasv_max_port and pasv_min_port? If it is possible, how many clients can the VSFTP server handle at the same time? Only one?
Solution 1:
To simplify, i would say yes, and that is how you should consider it (in my opinion).
Limiting port range will limit simultaneous clients connections according to the number of ports you have between min and max. This way you will avoid weird behaviours.
But, in the fact that is not true and has to be moderated :-)
Going deeper and to be more precise : limiting ports affects concurent use of data channel.
Note that a new connexion request needs an available data channel.
I am not aware about all FTP commands that use data channel, but basically upload (STOR)
, download (RETR)
, list (LIST)
commands need data channel.
To illustrate this i've just made a test in lab (that you can reproduce) with my vsftpd server and these settings :
pasv_max_port=10100
pasv_min_port=10100
1. First test :
- I connect with Client1 : ok
- I connect with Client2 while Client1 is still connected : ok
- I connect with Client3 while Client1 and Client2 are still connected : ok
Why ?
- Client2 was able to connect because Client1 was doing nothing (idle) and was not using data channel, so the server has assigned the port to Client2.
- Client3 was able to connect because Client1 and Client2 were idle and not using data channel, so the server has assigned the port to Client3.
2. Second test :
- I connect with Client1 and start uploading a file : ok file upload in progress
- I connect with Client2 while Client1 upload was still running : ERROR cannot connect
- I wait for Client1 upload to finish
- Once Client1 upload was finished i was able to connect with Client2.
Why ?
- Because Client1 was using data channel for its upload, Client2 was not able to connect because there was no more available port on server side to serve him.
- Once Client1 upload has finished, the server freed-up data channel port and Client2 was able to use it to connect.
3. Third test :
- I connect with Client1 : ok
- I connect with Client2 while Client1 is still connected : ok
- I start an upload to ftp server from Client1 : ok upload in progress
- I start an upload to ftp server from Client2 while Client1 upload is still running : ERROR connexion closed by server. Transfert failed.
Why ?
A mix of test 1 and test 2 :
- Client2 was able to connect because Client1 was doing nothing (idle) and was not using data channel, so the server has assigned the port to Client2.
- Client1 is able to upload a file because Client2 is idle so the server has assigned the port to Client1 for its upload.
- Client2 is not able to upload a file because data transfert port is already in use by Client1 for its upload
Now you can understand why i was talking about "weird" behaviours at the beginning.
Hope it will help !