ftp-proxy - Internet File Transfer Protocol proxy server
ftp-proxy [-AnrVw] [-a address] [-D debuglevel] [-g group]
[-M maxport]
[-m minport] [-R address[:port]] [-S address] [-t
timeout] [-u
user]
ftp-proxy is a proxy for the Internet File Transfer Protocol. The proxy
uses pf(4) and expects to have the FTP control connection as
described in
services(5) redirected to it via a pf(4) rdr command. An
example of how
to do that is further down in this document.
The options are as follows:
-A Permit only anonymous FTP connections. The proxy
will allow connections
to log in to other sites as the user "ftp"
or
"anonymous" only. Any attempt to log in as another
user will be
blocked by the proxy.
-a address
Specify the local IP address to use in bind(2) as
the source for
connections made by ftp-proxy when connecting to
destination FTP
servers. This may be necessary if the interface address of your
default route is not reachable from the destinations
ftp-proxy is
attempting connections to, or this address is different from the
one connections are being NATed to. In the usual
case this means
that address should be a publicly visible IP address
assigned to
one of the interfaces on the machine running
ftp-proxy and should
be the same address to which you are translating
traffic if you
are using the -n option.
-D debuglevel
Specify a debug level, where the proxy emits verbose
debug output
into syslogd(8) at level LOG_DEBUG. Meaningful values of debuglevel
are 0-3, where 0 is no debug output and 3 is
lots of debug
output, the default being 0.
-g group
Specify the named group to drop group privileges to,
after doing
pf(4) lookups which require root. By default,
ftp-proxy uses the
default group of the user it drops privilege to.
-M maxport
Specify the upper end of the port range the proxy
will use for
the data connections it establishes. The default is
IPPORT_HILASTAUTO defined in <netinet/in.h> as
65535.
-m minport
Specify the lower end of the port range the proxy
will use for
all data connections it establishes. The default is
IPPORT_HIFIRSTAUTO defined in <netinet/in.h> as
49152.
-n Activate network address translation (NAT) mode. In
this mode,
the proxy will not attempt to proxy passive mode
(PASV or EPSV)
data connections. In order for this to work, the
machine running
the proxy will need to be forwarding packets and doing network
address translation to allow the outbound passive
connections
from the client to reach the server. See pf.conf(5)
for more details
on NAT. The proxy only ignores passive mode
data connections
when using this flag; it will still proxy PORT
and EPRT
mode data connections. Without this flag, ftp-proxy
does not require
any IP forwarding or NAT beyond the rdr necessary to capture
the FTP control connection.
-r Use reverse host (reverse DNS) lookups for logging
and libwrap
use. By default, the proxy does not look up hostnames for libwrap
or logging purposes.
-R address:[port]
Reverse proxy mode for FTP servers running behind a
NAT gateway.
In this mode, no redirection is needed. The proxy
is run from
inetd(8) on the port that external clients connect
to (usually
21). Control connections and passive data connections are forwarded
to the server.
-S address
Source address to use for data connections made by
the proxy.
Useful when there are multiple addresses (aliases)
available to
the proxy. Clients may expect data connections to
have the same
source address as the control connections, and reject or drop
other connections.
-t timeout
Specifies a timeout, in seconds. The proxy will exit and close
open connections if it sees no data for the duration
of the timeout.
The default is 0, which means the proxy will
not time out.
-u user
Specify the named user to drop privilege to, after
doing pf(4)
lookups which require root privilege. By default,
ftp-proxy
drops privilege to the user proxy.
Running as root means that the source of data connections the
proxy makes for PORT and EPRT will be the RFC mandated port 20.
When running as a non-root user, the source of the
data connections
from ftp-proxy will be chosen randomly from
the range
minport to maxport as described above.
-V Be verbose. With this option the proxy logs the
control commands
sent by clients and the replies sent by the servers
to
syslogd(8).
-w Use the tcp wrapper access control library hosts_access(3), allowing
connections to be allowed or denied based on
the tcp wrapper's
hosts.allow(5) and hosts.deny(5) files. The
proxy does
libwrap operations after determining the destination
of the captured
control connection, so that tcp wrapper rules
may be written
based on the destination as well as the source
of FTP connections.
ftp-proxy is run from inetd(8) and requires that FTP connections are
redirected to it using a rdr rule. A typical way to do this
would be to
use a pf.conf(5) rule such as
int_if = "xl0"
rdr pass on $int_if proto tcp from any to any port 21 ->
127.0.0.1 port 8021
inetd(8) must then be configured to run ftp-proxy on the
port from above
using
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftpproxy ftp-proxy
in inetd.conf(5).
ftp-proxy accepts the redirected control connections and
forwards them to
the server. The proxy replaces the address and port number
that the
client sends through the control connection to the server
with its own
address and proxy port, where it listens for the data connection. When
the server opens the data connection back to this port, the
proxy forwards
it to the client. The pf.conf(5) rules need to let
pass connections
to these proxy ports (see options -u, -m, and -M
above) in on the
external interface. The following example allows only ports
49152 to
65535 to pass in statefully:
block in on $ext_if proto tcp all
pass in on $ext_if inet proto tcp from any to $ext_if
port > 49151 keep state
Alternatively, rules can make use of the fact that by default, ftp-proxy
runs as user "proxy" to allow the backchannel connections,
as in the following
example:
block in on $ext_if proto tcp all
pass in on $ext_if inet proto tcp from any to $ext_if
user proxy keep state
These examples do not cover the connections from the proxy
to the foreign
FTP server. If one does not pass outgoing connections by
default additional
rules are needed.
ftp(1), pf(4), hosts.allow(5), hosts.deny(5), inetd.conf(5),
pf.conf(5),
inetd(8), pfctl(8), syslogd(8)
Extended Passive mode (EPSV) is not supported by the proxy
and will not
work unless the proxy is run in network address translation
mode. When
not in network address translation mode, the proxy returns
an error to
the client, hopefully forcing the client to revert to passive mode (PASV)
which is supported. EPSV will work in network address
translation mode,
assuming a pf.conf(5) setup which allows the EPSV connections through to
their destinations.
IPv6 is not yet supported.
OpenBSD 3.6 August 17, 2001
[ Back ] |
