FTP-PROXY(8) | System Manager's Manual | FTP-PROXY(8) |
ftp-proxy
—
ftp-proxy |
[-6Adrv ]
[-a address]
[-b address]
[-D level]
[-i netif]
[-m maxsessions]
[-P port]
[-p port]
[-q queue]
[-R address]
[-T tag]
[-t timeout] |
ftp-proxy
is a proxy for the Internet File Transfer
Protocol. FTP control connections should be redirected into the proxy using
the ipnat(4) or
pf(4) rdr
command, after which the proxy connects to the server on behalf of the client.
The proxy allows data connections to pass, rewriting and
redirecting them so that the right addresses are used. All connections from
the client to the server have their source address rewritten so they appear
to come from the proxy. Consequently, all connections from the server to the
proxy have their destination address rewritten, so they are redirected to
the client. The proxy uses the
pf(4) anchor
facility for this, unless the option -i
is
specified, it will then use the
ipnat(4) interface.
Assuming the FTP control connection is from $client to $server,
the proxy connected to the server using the $proxy source address, and $port
is negotiated, then ftp-proxy
adds the following
rules to the various anchors. (These example rules use inet, but the proxy
also supports inet6.)
In case of active mode (PORT or EPRT):
rdr from $server to $proxy port $port -> $client pass quick inet proto tcp \ from $server to $client port $port
In case of passive mode (PASV or EPSV):
nat from $client to $server port $port -> $proxy pass in quick inet proto tcp \ from $client to $server port $port pass out quick inet proto tcp \ from $proxy to $server port $port
The options are as follows:
-6
-A
-a
address-b
address-D
level-d
-i
netifftp-proxy
for use with IP-Filter. The argument
netif should be set to the name of the network
interface where rdr is applied on.-m
maxsessions-P
port-R
. The default is port 21.-p
port-q
queue-R
address-r
-T
tag-t
timeout-v
ftp-proxy
. Use twice to set the 'log-all' flag.
The pf rules do not log by default.In the NAT section:
nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from $lan to any port 21 -> \ 127.0.0.1 port 8021
In the rule section:
anchor "ftp-proxy/*" pass out proto tcp from $proxy to any port 21
To make use of the proxy using ipnat(4), ipnat.conf(5) need the following rule:
rdr $int_if any port 21 -> 127.0.0.1 port 8021 tcp
ftp-proxy
cannot add rules to the anchors and
FTP data connections may get blocked.
Negotiated data connection ports below 1024 are not allowed.
The negotiated IP address for active modes is ignored for security reasons. This makes third party file transfers impossible.
ftp-proxy
chroots to
"/var/chroot/ftp-proxy" and changes to user "_proxy" to
drop privileges.
August 1, 2007 | NetBSD 9.4 |