allow-incoming-proxy-data-connections NcFTPd file configuration
Don't forget to restart NcFTPd after modifying the file.

The FTP protocol uses separate connections for data transfers and control information. (You may want to read our article entitled An Overview of the File Transfer Protocol now for more information about the concepts mentioned here.) Because of this separation, it is possible to initiate an FTP login session from one host, but specify that the file to be downloaded or uploaded (or directory to be listed) be sent to a different host. When this is the case, we call the data transfer a proxy data connection.

However, the proxy features of the FTP protocol are no longer in widespread use, and since there are some security implications, it is desirable not to enable proxy functionality. For example, a malicious FTP user could use the proxy feature to cause the FTP server to connect to other server machines rather than a valid FTP client program, and avoid detection since it would appear that the rogue connection was originating from the FTP server machine.

The FTP protocol has two types of data connections: passive (denoted by the FTP protocol command PASV; often called "passive mode") and active (denoted by PORT). For passive data connections, the client connects into the server at a port number of the server's choosing (and is thus an incoming data connection from the server's perspective). For active data connections, the server connects out to the client at an IP address and port of the client's choosing (and is thus an outgoing data connection).

This option controls whether incoming data connections (PASV) are allowed to be proxied. There is another option to configure the behavior of outgoing data connections.

One reason why you should disable incoming proxy data connections is to prevent a malicious user from stealing a data connection. For example, let's say a user is about to download a sensitive file, and issues a PASV command to the server, and that a malicious user was monitoring the FTP session. The server would now respond with the address on the server for the client to connect to, but the malicious user could potentially connect to that address before the valid user can. If the server is configured to allow incoming proxy data connections, the malicious user would be able to download the file, but if incoming proxy data connections are not allowed, the malicious user would be denied.



See Also:

Previous: allow-incoming-ports-below-1024 NcFTPd Home Next: allow-mls