allow-outgoing-proxy-data-connection-ports-below-1024 |
NcFTPd general.cf file configuration Don't forget to restart NcFTPd after modifying the general.cf file. |
This wordy option controls whether you want to allow data connections to remote addresses and a low port number and the foreign address is different from the control connection's remote address.
Remember, the FTP protocol uses one TCP/IP connection for the control channel for the FTP conversation, and additional connections to actually transfer data. Under normal circumstances, the remote end of the control connection will be the same as the remote end of the data connections, since a remote user will almost always want data sent to the same IP address that the user is running from. While the protocol was originally designed for proxy FTP where a user could be at one address but have the data sent to some other location, these days no one does that except for hackers. Hackers try covering their tracks by using proxy FTP, and more dangerously, try to trick the FTP server machine into talking to some other machine. The latter attack is known as an "FTP bounce" attack, and is usually accomplished by having an FTP server talk to some other machine's telnet or rlogin server. These port numbers are below 1024, which explains this option. Setting this option to no eliminates most forms of this attack.
An easy way to allow legitimate uses of proxy FTP is set this option to no, and allow-proxy-connections to yes. This will allow proxy connections, but only when the remote port number does not appear to be a port number of a system service.
Examples:
See Also: