*** Note: this document is work in progress and by no means complete. It is included just for the sake of "Release early and often." ***
FTP-Proxy is a transparent, application-level proxy server for FTP connections, designed to protect FTP servers against attacks based on the FTP protocol.
Due to the dual TCP connection nature of the FTP protocol, special handling is required to allow secure transfers. Data connections are usually opened by the FTP server (the FTP protocol specification calls this "active" transfers) or optionally by the FTP client ("passive" transfers). The data ports to be used are determined dynamically and announced as part of the protocol. This makes it very difficult for static packet filters to handle FTP correctly.
Most routers and firewalls know about this procedure when NAT is performed. E.g. Linux provides a special kernel module for FTP (and other protocols). However such code usually only works in "outbound" direction, allowing FTP access from the inner network to FTP servers on the outer network, but not in the other direction.
This is a design restriction: TCP/IP packets originating from the inner network can be marked with special information that allows for correct routing of response packets from the outer network. For instance, if a WWW client on host 192.168.168.27 on your internal network requests a web page from Web server 194.112.123.200, the router maintains internal information when it rewrites the headers of the request packets. If a response packet arrives (with a "From" address of 194.112.123.200), the router is then able to replace the public IP address in the "To" field with the private IP address of the appropriate client, in this case 192.168.168.27.
Of course, if a connection originates from the outer network, the router does not have this additional information and it can't forward incoming IP packets since it has no idea which host on the inner network is to be addressed. One solution could be to enable port forwarding on the router (if supported), so that FTP clients on the outer network could connect to port X on the router to reach server Y on the inner network, however this fails because of the restrictions in the FTP protocol outlined above.
A proxy server is an elegant way to circumvent these restrictions, but there are other benefits of using FTP-Proxy as well: