Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
FTP-PROXY(8)		  BSD System Manager's Manual		  FTP-PROXY(8)

     ftp-proxy -- Internet File	Transfer Protocol proxy	server

     ftp-proxy [-AnrVw]	[-a address] [-D debuglevel] [-g group]	[-M maxport]
	       [-m minport] [-t	timeout] [-u user]

     ftp-proxy is a proxy for the Internet File	Transfer Protocol.  The	proxy
     uses pf(4)	and expects to have the	FTP control connection as described in
     services(5) redirected to it via a	pf(4) rdr command.  An example of how
     to	do that	is further down	in this	document.

     The options are as	follows:

     -A	     Permit only anonymous FTP connections.  The proxy will allow con-
	     nections to log in	to other sites as the user "ftp" or
	     "anonymous" only.	Any attempt to log in as another user will be
	     blocked by	the proxy.

     -a	address
	     Specify the local IP address to use in bind(2) as the source for
	     connections made by ftp-proxy when	connecting to destination FTP
	     servers.  This may	be necessary if	the interface address of your
	     default route is not reachable from the destinations ftp-proxy is
	     attempting	connections to,	or this	address	is different from the
	     one connections are being NATed to.  In the usual case this means
	     that address should be a publicly visible IP address assigned to
	     one of the	interfaces on the machine running ftp-proxy and	should
	     be	the same address to which you are translating traffic if you
	     are using the -n option.

     -D	debuglevel
	     Specify a debug level, where the proxy emits verbose debug	output
	     into syslogd(8) at	level LOG_DEBUG.  Meaningful values of debu-
	     glevel are	0-3, where 0 is	no debug output	and 3 is lots of debug
	     output, the default being 0.

     -g	group
	     Specify the named group to	drop group privileges to, after	doing
	     pf(4) lookups which require root.	By default, ftp-proxy uses the
	     default group of the user it drops	privilege to.

     -M	maxport
	     Specify the upper end of the port range the proxy will use	for
	     the data connections it establishes.  The default is
	     IPPORT_HILASTAUTO defined in <netinet/in.h> as 65535.

     -m	minport
	     Specify the lower end of the port range the proxy will use	for
	     all data connections it establishes.  The default is
	     IPPORT_HIFIRSTAUTO	defined	in <netinet/in.h> as 49152.

     -n	     Activate network address translation (NAT)	mode.  In this mode,
	     the proxy will not	attempt	to proxy passive mode (PASV or EPSV)
	     data connections.	In order for this to work, the machine running
	     the proxy will need to be forwarding packets and doing network
	     address translation to allow the outbound passive connections
	     from the client to	reach the server.  See pf.conf(5) for more de-
	     tails on NAT.  The	proxy only ignores passive mode	data connec-
	     tions when	using this flag; it will still proxy PORT and EPRT
	     mode data connections.  Without this flag,	ftp-proxy does not re-
	     quire any IP forwarding or	NAT beyond the rdr necessary to	cap-
	     ture the FTP control connection.

     -r	     Use reverse host (reverse DNS) lookups for	logging	and libwrap
	     use.  By default, the proxy does not look up hostnames for	lib-
	     wrap or logging purposes.

     -t	timeout
	     Specifies a timeout, in seconds.  The proxy will exit and close
	     open connections if it sees no data for the duration of the time-
	     out.  The default is 0, which means the proxy will	not time out.

     -u	user
	     Specify the named user to drop privilege to, after	doing pf(4)
	     lookups which require root	privilege.  By default,	ftp-proxy
	     drops privilege to	the user proxy.

	     Running as	root means that	the source of data connections the
	     proxy makes for PORT and EPRT will	be the RFC mandated port 20.
	     When running as a non-root	user, the source of the	data connec-
	     tions from	ftp-proxy will be chosen randomly from the range
	     minport to	maxport	as described above.

     -V	     Be	verbose.  With this option the proxy logs the control commands
	     sent by clients and the replies sent by the servers to

     -w	     Use the tcp wrapper access	control	library	hosts_access(3), al-
	     lowing connections	to be allowed or denied	based on the tcp wrap-
	     per's hosts.allow(5) and hosts.deny(5) files.  The	proxy does
	     libwrap operations	after determining the destination of the cap-
	     tured control connection, so that tcp wrapper rules may be	writ-
	     ten based on the destination as well as the source	of FTP connec-

     ftp-proxy is run from inetd(8) and	requires that FTP connections are
     redirected	to it using a rdr rule.	 A typical way to do this would	be to
     use a pf.conf(5) rule such	as

       int_if =	"xl0"
       rdr pass	on $int_if proto tcp from any to any port 21 -> port 8021

     inetd(8) must then	be configured to run ftp-proxy on the port from	above

       ftp-proxy stream	tcp nowait root	/usr/libexec/ftp-proxy ftp-proxy

     in	inetd.conf(5).

     ftp-proxy accepts the redirected control connections and forwards them to
     the server.  The proxy replaces the address and port number that the
     client sends through the control connection to the	server with its	own
     address and proxy port, where it listens for the data connection.	When
     the server	opens the data connection back to this port, the proxy for-
     wards it to the client.  The pf.conf(5) rules need	to let pass connec-
     tions to these proxy ports	(see options -u, -m, and -M above) in on the
     external interface.  The following	example	allows only ports 49152	to
     65535 to pass in statefully:

	   block in on $ext_if proto tcp all
	   pass	 in on $ext_if inet proto tcp from any to $ext_if \
	       port > 49151 keep state

     Alternatively, rules can make use of the fact that	by default, ftp-proxy
     runs as user "proxy" to allow the backchannel connections,	as in the fol-
     lowing example:

	   block in on $ext_if proto tcp all
	   pass	 in on $ext_if inet proto tcp from any to $ext_if \
	       user proxy keep state

     These examples do not cover the connections from the proxy	to the foreign
     FTP server.  If one does not pass outgoing	connections by default addi-
     tional rules are needed.

     ftp(1), pf(4), hosts.allow(5), hosts.deny(5), inetd.conf(5), pf.conf(5),
     inetd(8), pfctl(8), syslogd(8)

     Extended Passive mode (EPSV) is not supported by the proxy	and will not
     work unless the proxy is run in network address translation mode.	When
     not in network address translation	mode, the proxy	returns	an error to
     the client, hopefully forcing the client to revert	to passive mode	(PASV)
     which is supported.  EPSV will work in network address translation	mode,
     assuming a	pf.conf(5) setup which allows the EPSV connections through to
     their destinations.

     IPv6 is not yet supported.

BSD				August 17, 2001				   BSD


Want to link to this manual page? Use this URL:

home | help