ProFTPD: FXP (Site-to-Site Transfers)


FXP
What is FXP? FXP is part of the name of a popular Windows FTP client:

  http://www.flashfxp.com
This client has made the name "FXP" commonly used as a synonym for site-to-site FTP transfers, for transferring a file between two remote FTP servers without the transfer going through the client's host. Sometimes "FXP" is referred to as a protocol; in fact, it is not. The site-to-site transfer capability was deliberately designed into FTP.

Site-to-Site Transfers
In a site-to-site transfer, the client logs in to two servers (server A and server B). It then arranges for a file transfer, telling one server (server A) that it will be a passive transfer, and the other server (server B) that it will be an active transfer. For a passive transfer, server A will return an address/port (via response to the PASV command) to which the client is to connect. The client then passes that address/port in a PORT command to server B. Then, the client sends a RETR to one of the servers and a STOR to the other, thus starting the transfer. The data does not pass to the client machine at all.

Any firewalls protecting either (or both) servers involved may need to allow active and passive FTP data transfers, depending on which server is told to be active, which is told to be passive.

Example Site-to-Site Transfer
In the example below, italicized represent responses to the given FTP commands. Lines in blue show communications to server A, while those in red are to server B. Black lines are informational messages displayed by the FXP client.

  TYPE I
  200 Type set to I.
  TYPE I
  200 Type set to I.
  PASV
  227 Entering Passive Mode (1,2,3,4,130,161).
  PORT 1,2,3,4,130,161
  200 PORT command successful
  STOR file.mp3
  150 Opening BINARY mode data connection for file.mp3
  RETR file.mp3
  150 Opening BINARY mode data connection for file.mp3 (15000000 bytes)
  226 Transfer complete.
  226 Transfer complete.
  Transferred: file.mp3 14.31 MB in 2.38 (6,147.06 KBps)
  TYPE A
  200 Type set to A.
  PASV
  227 Entering Passive Mode (5,6,7,8,168,183).
  LIST
  150 Opening ASCII mode data connection for file list
  226 Transfer complete.
  TYPE A
  200 Type set to A.
  PASV
  227 Entering Passive Mode (1,2,3,4,130,162).
  LIST
  150 Opening ASCII mode data connection for file list
  226 Transfer complete.
  Transfer queue completed
  Transferred 1 file totaling 14.31 MB in 3.42 (6,147.06 KBps)
The client instructs server A to expect a passive data transfer, and server B to initiate an active data transfer. The address and port returned in server A's response to the PASV command is passed to server B as arguments in the PORT command. The transfer is then started by telling server A to expect a file to be uploaded, and server B to download the file. The following PASV/LIST sequences are the client confirming that the file was transferred successfully.

This example also illustrates that site-to-site transfers use both active and passive data transfers; for sites that operate behind firewalls and NAT, passive transfers may require extra configuration to operate properly (i.e. use of the MasqueradeAddress and PassivePorts configuration directives).

"FTP Bounce" Attacks and AllowForeignAddress
So, what does this mean for ProFTPD? By default, ProFTPD does not allow site-to-site transfers, for by allowing them, the server also allows a type of attack known as the "FTP bounce" attack:

  http://www.cert.org/advisories/CA-1997-27.html
The protection against this attack is to enforce the requirement that, from the server's point of view, the remote address of a control connection matches the remote address of a data connection. If the addresses do not match, the data connection is treated as from a foreign client, and thus rejected.

However, some site administrators do want to allow their servers to support site-to-site transfers. ProFTPD must be explicitly configured to allow these by using the AllowForeignAddress configuration directive.

Note that even if AllowForeignAddress is enabled, you may still encounter trouble with site-to-site transfers involving your server. These issues usually arise from firewall configurations, or with upstream ISPs performing filtering on the FTP port.