FXP Configuration
Here are some hints how you can configure various FTP servers for FXP, see the text about the FXP problem for more infomration about it. If you have corrections or suggestions please send them to dag@awk-scripting.de.
It's not very likely that you have heard of this FTP server. It was never really published but it's a nice and clean FTP server available as "unsupported" software. You find it under http://www.ftpproxy.org/download/unsupported/, the current release is ftpserver-1.0.10.tar.gz. Give the "-e" option on ftp.server's command line to enable FXP and a second "-e" to get rid of the warining messages in your syslog. So "-ee" is what you want for FXP.
Using regedit.exe add the following registry key (DWORD value)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters\
EnablePortAttack=1
To support FXP when connecting as a user place "AllowForeignAddress on" in the Global or VirtualHost context. The config will happily support "AllowForeignAddress on" in multiple places within the config. You may need to add the following "PassivePorts 49152 65534". (Taken from http://flashfxp.com/)
Set "AllowUserFXP" to "yes" in pure-ftpd.conf. If you only use command line options use "-w". See http://www.pureftpd.org/ for more details.
Uncheck "Block FTP Bounce attacks and FXP" under "General", then select the cluster user account on your Serv-U server and permit him to do FXP. Furthermore, as I was told, you have to make sure that not limited the "Max. no of users".
See also Serv-U's knowledge base, http://www.serv-u.com/.
First, we need to add an additional class for users that are allowed to do FXP (unless you just want to use the predefined class "all"). If you add a new class, this line MUST be before the catch-all class "all", or the client will match class "all" first.
The line is of the form:
class <ArbitraryClassName> <AccessTypes> <HostAddrs> [HostAddrs]
Then we add lines to allow PASV and PORT commands to hosts whose IPs don't match the client (to allow FXP)
These lines are of the form:
port-allow <ArbitraryClassName> <HostAddrs> pasv-allow <ArbitraryClassName> <HostAddrs>
And now to put it into practice - a real example
class newclass real,guest,anonymous *.mydomain.net *.more.client.addresses.com class all real,guest,anonymous * port-allow newclass 0.0.0.0/0 pasv-allow newclass 0.0.0.0/0
This basically adds a new class (creatively called "newclass") - note that it appears before the line containing the class "all" - this new class contains all hosts in the subdomains mydomain.net and more.client.addresses.com (domains obviously made up by yours truly), in order to limit who we will allow to do FXP. The port-allow and pasv-allow lines basically allow FXP connections to anywhere if your client is in the class "newclass".