allow-incoming-ports-below-1024
There is a minor flaw in the FTP protocol which allows connections to and
from the remote clients to use any port number. Unfortunately, on
UNIX, port numbers below 1024 are reserved for super-user
processes, and there is a way to trick an FTP server to connect to one
of these ports. It is easy to just disallow all ports under 1024, but other
operating systems such as MacOS use those for user processes.
If you are ultra-paranoid about security, you can disallow ports under
1024. If compatibility with other operating systems is more important,
or you're careful about having world-writeable directories, you can allow
these ports.
Examples:
allow-incoming-ports-below-1024=yes
allow-incoming-ports-below-1024=yes
Recommendation:
allow-incoming-ports-below-1024=yes
(The FTP-bounce "attack" isn't too much to be concerned about.
You'll hear a lot of complaints from Mac users if you turn this on, and
it isn't worth the extra hassle.)
