2011-06-28 11:57:25 +00:00
|
|
|
.\" $OpenBSD: ftp-proxy.8,v 1.11 2008/02/26 18:52:53 henning Exp $
|
2004-02-28 16:52:45 +00:00
|
|
|
.\"
|
2007-07-03 12:30:03 +00:00
|
|
|
.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
|
2004-02-28 16:52:45 +00:00
|
|
|
.\"
|
2007-07-03 12:30:03 +00:00
|
|
|
.\" Permission to use, copy, modify, and distribute this software for any
|
|
|
|
.\" purpose with or without fee is hereby granted, provided that the above
|
|
|
|
.\" copyright notice and this permission notice appear in all copies.
|
2004-02-28 16:52:45 +00:00
|
|
|
.\"
|
2007-07-03 12:30:03 +00:00
|
|
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
|
|
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
2004-02-28 16:52:45 +00:00
|
|
|
.\"
|
2004-05-27 23:51:05 +00:00
|
|
|
.\" $FreeBSD$
|
|
|
|
.\"
|
2011-06-28 11:57:25 +00:00
|
|
|
.Dd February 26, 2008
|
2004-02-28 16:52:45 +00:00
|
|
|
.Dt FTP-PROXY 8
|
|
|
|
.Os
|
|
|
|
.Sh NAME
|
|
|
|
.Nm ftp-proxy
|
2007-07-03 12:30:03 +00:00
|
|
|
.Nd Internet File Transfer Protocol proxy daemon
|
2004-02-28 16:52:45 +00:00
|
|
|
.Sh SYNOPSIS
|
2008-12-10 20:59:26 +00:00
|
|
|
.Nm
|
2008-12-10 20:54:37 +00:00
|
|
|
.Bk -words
|
2007-07-03 12:30:03 +00:00
|
|
|
.Op Fl 6Adrv
|
2004-06-16 23:39:33 +00:00
|
|
|
.Op Fl a Ar address
|
2007-07-03 12:30:03 +00:00
|
|
|
.Op Fl b Ar address
|
|
|
|
.Op Fl D Ar level
|
|
|
|
.Op Fl m Ar maxsessions
|
|
|
|
.Op Fl P Ar port
|
|
|
|
.Op Fl p Ar port
|
|
|
|
.Op Fl q Ar queue
|
|
|
|
.Op Fl R Ar address
|
2008-12-10 20:54:37 +00:00
|
|
|
.Op Fl T Ar tag
|
2004-02-28 16:52:45 +00:00
|
|
|
.Op Fl t Ar timeout
|
2008-12-10 20:54:37 +00:00
|
|
|
.Ek
|
2004-02-28 16:52:45 +00:00
|
|
|
.Sh DESCRIPTION
|
|
|
|
.Nm
|
|
|
|
is a proxy for the Internet File Transfer Protocol.
|
2007-07-03 12:30:03 +00:00
|
|
|
FTP control connections should be redirected into the proxy using the
|
2004-02-28 16:52:45 +00:00
|
|
|
.Xr pf 4
|
2007-07-03 12:30:03 +00:00
|
|
|
.Ar rdr
|
|
|
|
command, after which the proxy connects to the server on behalf of
|
|
|
|
the client.
|
|
|
|
.Pp
|
|
|
|
The proxy allows data connections to pass, rewriting and redirecting
|
|
|
|
them so that the right addresses are used.
|
|
|
|
All connections from the client to the server have their source
|
|
|
|
address rewritten so they appear to come from the proxy.
|
|
|
|
Consequently, all connections from the server to the proxy have
|
|
|
|
their destination address rewritten, so they are redirected to the
|
|
|
|
client.
|
|
|
|
The proxy uses the
|
2004-02-28 16:52:45 +00:00
|
|
|
.Xr pf 4
|
2007-07-03 12:30:03 +00:00
|
|
|
.Ar anchor
|
|
|
|
facility for this.
|
|
|
|
.Pp
|
|
|
|
Assuming the FTP control connection is from $client to $server, the
|
|
|
|
proxy connected to the server using the $proxy source address, and
|
|
|
|
$port is negotiated, then
|
2008-12-10 20:59:26 +00:00
|
|
|
.Nm
|
2007-07-03 12:30:03 +00:00
|
|
|
adds the following rules to the various anchors.
|
|
|
|
(These example rules use inet, but the proxy also supports inet6.)
|
|
|
|
.Pp
|
|
|
|
In case of active mode (PORT or EPRT):
|
|
|
|
.Bd -literal -offset 2n
|
|
|
|
rdr from $server to $proxy port $port -> $client
|
|
|
|
pass quick inet proto tcp \e
|
|
|
|
from $server to $client port $port
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
In case of passive mode (PASV or EPSV):
|
|
|
|
.Bd -literal -offset 2n
|
|
|
|
nat from $client to $server port $port -> $proxy
|
|
|
|
pass in quick inet proto tcp \e
|
|
|
|
from $client to $server port $port
|
|
|
|
pass out quick inet proto tcp \e
|
|
|
|
from $proxy to $server port $port
|
|
|
|
.Ed
|
2004-02-28 16:52:45 +00:00
|
|
|
.Pp
|
|
|
|
The options are as follows:
|
|
|
|
.Bl -tag -width Ds
|
2007-07-03 12:30:03 +00:00
|
|
|
.It Fl 6
|
|
|
|
IPv6 mode.
|
|
|
|
The proxy will expect and use IPv6 addresses for all communication.
|
|
|
|
Only the extended FTP modes EPSV and EPRT are allowed with IPv6.
|
|
|
|
The proxy is in IPv4 mode by default.
|
2004-02-28 16:52:45 +00:00
|
|
|
.It Fl A
|
2007-07-03 12:30:03 +00:00
|
|
|
Only permit anonymous FTP connections.
|
|
|
|
Either user "ftp" or user "anonymous" is allowed.
|
2004-06-16 23:39:33 +00:00
|
|
|
.It Fl a Ar address
|
2007-07-03 12:30:03 +00:00
|
|
|
The proxy will use this as the source address for the control
|
|
|
|
connection to a server.
|
|
|
|
.It Fl b Ar address
|
|
|
|
Address where the proxy will listen for redirected control connections.
|
|
|
|
The default is 127.0.0.1, or ::1 in IPv6 mode.
|
|
|
|
.It Fl D Ar level
|
|
|
|
Debug level, ranging from 0 to 7.
|
|
|
|
Higher is more verbose.
|
|
|
|
The default is 5.
|
|
|
|
(These levels correspond to the
|
|
|
|
.Xr syslog 3
|
|
|
|
levels.)
|
|
|
|
.It Fl d
|
|
|
|
Do not daemonize.
|
|
|
|
The process will stay in the foreground, logging to standard error.
|
|
|
|
.It Fl m Ar maxsessions
|
|
|
|
Maximum number of concurrent FTP sessions.
|
|
|
|
When the proxy reaches this limit, new connections are denied.
|
|
|
|
The default is 100 sessions.
|
|
|
|
The limit can be lowered to a minimum of 1, or raised to a maximum of 500.
|
|
|
|
.It Fl P Ar port
|
|
|
|
Fixed server port.
|
|
|
|
Only used in combination with
|
|
|
|
.Fl R .
|
|
|
|
The default is port 21.
|
|
|
|
.It Fl p Ar port
|
|
|
|
Port where the proxy will listen for redirected connections.
|
|
|
|
The default is port 8021.
|
|
|
|
.It Fl q Ar queue
|
|
|
|
Create rules with queue
|
|
|
|
.Ar queue
|
|
|
|
appended, so that data connections can be queued.
|
|
|
|
.It Fl R Ar address
|
|
|
|
Fixed server address, also known as reverse mode.
|
|
|
|
The proxy will always connect to the same server, regardless of
|
|
|
|
where the client wanted to connect to (before it was redirected).
|
|
|
|
Use this option to proxy for a server behind NAT, or to forward all
|
|
|
|
connections to another proxy.
|
2004-02-28 16:52:45 +00:00
|
|
|
.It Fl r
|
2007-07-03 12:30:03 +00:00
|
|
|
Rewrite sourceport to 20 in active mode to suit ancient clients that insist
|
|
|
|
on this RFC property.
|
2008-12-10 20:54:37 +00:00
|
|
|
.It Fl T Ar tag
|
2008-12-10 20:59:26 +00:00
|
|
|
The filter rules will add tag
|
|
|
|
.Ar tag
|
|
|
|
to data connections, and not match quick.
|
|
|
|
This way alternative rules that use the
|
|
|
|
.Ar tagged
|
|
|
|
keyword can be implemented following the
|
|
|
|
.Nm
|
|
|
|
anchor.
|
|
|
|
These rules can use special
|
2008-12-10 20:54:37 +00:00
|
|
|
.Xr pf 4
|
2008-12-10 20:59:26 +00:00
|
|
|
features like route-to, reply-to, label, rtable, overload, etc. that
|
|
|
|
.Nm
|
|
|
|
does not implement itself.
|
2004-02-28 16:52:45 +00:00
|
|
|
.It Fl t Ar timeout
|
2007-07-03 12:30:03 +00:00
|
|
|
Number of seconds that the control connection can be idle, before the
|
|
|
|
proxy will disconnect.
|
|
|
|
The maximum is 86400 seconds, which is also the default.
|
|
|
|
Do not set this too low, because the control connection is usually
|
|
|
|
idle when large data transfers are taking place.
|
|
|
|
.It Fl v
|
|
|
|
Set the 'log' flag on pf rules committed by
|
|
|
|
.Nm .
|
|
|
|
Use twice to set the 'log-all' flag.
|
|
|
|
The pf rules do not log by default.
|
2004-02-28 16:52:45 +00:00
|
|
|
.El
|
2007-07-03 12:30:03 +00:00
|
|
|
.Sh CONFIGURATION
|
|
|
|
To make use of the proxy,
|
2004-02-28 16:52:45 +00:00
|
|
|
.Xr pf.conf 5
|
2007-07-03 12:30:03 +00:00
|
|
|
needs the following rules.
|
|
|
|
All anchors are mandatory.
|
|
|
|
Adjust the rules as needed.
|
2004-02-28 16:52:45 +00:00
|
|
|
.Pp
|
2007-07-03 12:30:03 +00:00
|
|
|
In the NAT section:
|
2004-02-28 16:52:45 +00:00
|
|
|
.Bd -literal -offset 2n
|
2007-07-03 12:30:03 +00:00
|
|
|
nat-anchor "ftp-proxy/*"
|
|
|
|
rdr-anchor "ftp-proxy/*"
|
|
|
|
rdr pass on $int_if proto tcp from $lan to any port 21 -> \e
|
|
|
|
127.0.0.1 port 8021
|
2004-02-28 16:52:45 +00:00
|
|
|
.Ed
|
|
|
|
.Pp
|
2007-07-03 12:30:03 +00:00
|
|
|
In the rule section:
|
|
|
|
.Bd -literal -offset 2n
|
|
|
|
anchor "ftp-proxy/*"
|
|
|
|
pass out proto tcp from $proxy to any port 21
|
2004-02-28 16:52:45 +00:00
|
|
|
.Ed
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr ftp 1 ,
|
|
|
|
.Xr pf 4 ,
|
|
|
|
.Xr pf.conf 5
|
2007-07-03 12:30:03 +00:00
|
|
|
.Sh CAVEATS
|
|
|
|
.Xr pf 4
|
|
|
|
does not allow the ruleset to be modified if the system is running at a
|
|
|
|
.Xr securelevel 7
|
|
|
|
higher than 1.
|
|
|
|
At that level
|
2008-12-10 20:59:26 +00:00
|
|
|
.Nm
|
2007-07-03 12:30:03 +00:00
|
|
|
cannot add rules to the anchors and FTP data connections may get blocked.
|
|
|
|
.Pp
|
|
|
|
Negotiated data connection ports below 1024 are not allowed.
|
2004-02-28 16:52:45 +00:00
|
|
|
.Pp
|
2007-07-03 12:30:03 +00:00
|
|
|
The negotiated IP address for active modes is ignored for security
|
|
|
|
reasons.
|
|
|
|
This makes third party file transfers impossible.
|
|
|
|
.Pp
|
2008-12-10 20:59:26 +00:00
|
|
|
.Nm
|
2007-07-03 12:30:03 +00:00
|
|
|
chroots to "/var/empty" and changes to user "proxy" to drop privileges.
|