FXP
What is FXP? FXP is part of the name of a popular Windows FTP client:
http://www.flashfxp.comThis client has made the name "FXP" commonly used as a synonym for site-to-site FTP transfers, for transferring a file between two remote FTP servers without the transfer going through the client's host. Sometimes "FXP" is referred to as a protocol; in fact, it is not. The site-to-site transfer capability was deliberately designed into FTP.
Site-to-Site Transfers
In a site-to-site transfer, the client logs in to two servers (server A and
server B). It then arranges for a file transfer, telling one server (server A)
that it will be a passive transfer, and the other server (server B) that it
will be an active transfer. For a passive transfer, server A will return an
address/port (via response to the PASV command) to which the
client is to connect. The client then passes that address/port in a
PORT command to server B. Then, the client sends a
RETR to one of the servers and a STOR to the
other, thus starting the transfer. The data does not pass to the client
machine at all.
Any firewalls protecting either (or both) servers involved may need to allow active and passive FTP data transfers, depending on which server is told to be active, which is told to be passive.
Example Site-to-Site Transfer
In the example below, italicized represent responses to the given FTP commands.
Lines in blue show communications to server A, while
those in red are to server B. Black lines are
informational messages displayed by the FXP client.
TYPE I 200 Type set to I. TYPE I 200 Type set to I. PASV 227 Entering Passive Mode (1,2,3,4,130,161). PORT 1,2,3,4,130,161 200 PORT command successful STOR file.mp3 150 Opening BINARY mode data connection for file.mp3 RETR file.mp3 150 Opening BINARY mode data connection for file.mp3 (15000000 bytes) 226 Transfer complete. 226 Transfer complete. Transferred: file.mp3 14.31 MB in 2.38 (6,147.06 KBps) TYPE A 200 Type set to A. PASV 227 Entering Passive Mode (5,6,7,8,168,183). LIST 150 Opening ASCII mode data connection for file list 226 Transfer complete. TYPE A 200 Type set to A. PASV 227 Entering Passive Mode (1,2,3,4,130,162). LIST 150 Opening ASCII mode data connection for file list 226 Transfer complete. Transfer queue completed Transferred 1 file totaling 14.31 MB in 3.42 (6,147.06 KBps)The client instructs server A to expect a passive data transfer, and server B to initiate an active data transfer. The address and port returned in server A's response to the
PASV command
is passed to server B as arguments in the
PORT command. The transfer is then started by telling
server A to expect a file to be uploaded, and
server B to download the file. The following
PASV/LIST sequences are the client confirming that the file
was transferred successfully.
This example also illustrates that site-to-site transfers use both active
and passive data transfers; for sites that operate behind firewalls and
NAT, passive transfers may require extra configuration to operate properly
(i.e. use of the MasqueradeAddress and
PassivePorts
configuration directives).
"FTP Bounce" Attacks and AllowForeignAddress
So, what does this mean for ProFTPD? By default, ProFTPD does not allow
site-to-site transfers, for by allowing them, the server also allows
a type of attack known as the "FTP bounce" attack:
http://www.cert.org/advisories/CA-1997-27.htmlThe protection against this attack is to enforce the requirement that, from the server's point of view, the remote address of a control connection matches the remote address of a data connection. If the addresses do not match, the data connection is treated as from a foreign client, and thus rejected.
However, some site administrators do want to allow their servers to support
site-to-site transfers. ProFTPD must be explicitly configured to allow these
by using the AllowForeignAddress configuration directive.
Note that even if AllowForeignAddress is enabled, you may still
encounter trouble with site-to-site transfers involving your server.
These issues usually arise from firewall configurations, or with upstream
ISPs performing filtering on the FTP port.