allow-outgoing-proxy-data-connections NcFTPd file configuration
Don't forget to restart NcFTPd after modifying the file.

The FTP protocol uses separate connections for data transfers and control information. (You may want to read our article entitled An Overview of the File Transfer Protocol now for more information about the concepts mentioned here.) Because of this separation, it is possible to initiate an FTP login session from one host, but specify that the file to be downloaded or uploaded (or directory to be listed) be sent to a different host. When this is the case, we call the data transfer a proxy data connection.

However, the proxy features of the FTP protocol are no longer in widespread use, and since there are some security implications, it is desirable not to enable proxy functionality. For example, a malicious FTP user could use the proxy feature to cause the FTP server to connect to other server machines rather than a valid FTP client program, and avoid detection since it would appear that the rogue connection was originating from the FTP server machine.

The FTP protocol has two types of data connections: passive (denoted by the FTP protocol command PASV; often called "passive mode") and active (denoted by PORT). For passive data connections, the client connects into the server at a port number of the server's choosing (and is thus an incoming data connection from the server's perspective). For active data connections, the server connects out to the client at an IP address and port of the client's choosing (and is thus an outgoing data connection).

This option controls whether outgoing data connections (PORT) are allowed to be proxied. There is another option to configure the behavior of incoming data connections.

There are several reasons why you should disable incoming proxy data connections, since this lets a malicious user send a data connection (contents of a file on the server, contents of a file uploaded by the user, or a directory listing) out to any IP address and port number. Some examples of potential misbehavior are:



See Also:

Previous: allow-outgoing-proxy-data-connection-ports-below-1024 NcFTPd Home Next: allow-pasv