Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
FTP-PROXY(8)            OpenBSD System Manager's Manual           FTP-PROXY(8)

     ftp-proxy - Internet File Transfer Protocol proxy server.

     ftp-proxy [-AnVwr] [-D debuglevel] [-g group] [-m minport] [-M maxport]
               [-t timeout] [-u user]

     ftp-proxy is a proxy for the Internet file transfer protocol.  The proxy
     uses pf(4) and expects to have the ftp control connection as described in
     services(5) redirected to it via a pf rdr command.  An example of how to
     do that is further down in this document.

     The options are as follows:

     -A      Permit only anonymous ftp connections.  The proxy will allow con-
             nections to log in to other sites as the user "ftp" or "anony-
             mous" only.  Any attempt to log in as another user will be
             blocked by the proxy.

     -g groupname
             specify the named group to drop group privileges to, after doing
             pf lookups which require root.  By default ftp-proxy uses the de-
             fault group of the user it drops privilege to.

     -u username
             specify the named user to drop privilege to, after doing pf
             lookups which require root privilege.  By default ftp-proxy drops
             privilege to the user proxy.

             Running as root means that the source of data connections the
             proxy makes for PORT and EPRT will be the RFC mandated port 20.
             When running as a non-root user the source of the data connec-
             tions from ftp-proxy will be chosen randomly from the range
             minport to maxport as described below.

     -n      Activate network address translation mode.  In this mode, the
             proxy will not attempt to proxy passive mode (PASV or EPSV) data
             connections, In order for this to work, the machine running the
             proxy will need to be forwarding packets and doing network ad-
             dress translation to allow the outbound passive connections from
             the client to reach the server.  See nat.conf(5) for more details
             on nat.  The proxy only ignores passive mode data connections
             when using this flag, it will still proxy PORT and EPRT mode data
             connections.  Without this flag, ftp-proxy does not require any
             ip forwarding or NAT beyond the rdr necessary to capture the ftp
             control connection.

     -V      Be verbose.  With this option the proxy logs the control commands
             sent by clients and the replies send by the servers to syslog(8)

     -w      Use the tcp wrapper access control library hosts_access(3) allow-
             ing connections to be allowed or denied based on the tcp wrap-
             per's hosts.allow(5) and hosts.deny(5) files.  The proxy does
             libwrap operations after determining the destination of the cap-
             tured control connection, so that tcp wrapper rules may be writ-
             ten based on the destination as well as the source of ftp connec-

     -r      Use reverse host (reverse DNS) lookups for logging and libwrap
             use.  By default the proxy does not look up hostnames for libwrap

             or logging purposes.

     -m minport
             specify the lower end of the port range the proxy will use for
             all data connections it establishes.  The default is
             IPPORT_HIFIRSTAUTO defined in <netinet/in.h> as 49152.

     -M maxport
             specify the upper end of the port range the proxy will use for
             the data connections it establishes.  The default is
             IPPORT_HILASTAUTO defined in <netinet/in.h> as 65535.

     -t timeout
             specifies a timeout, in seconds.  The proxy will exit and close
             open connections if it sees no data the duration of the timeout.
             The default is 0, which means the proxy will not time out.

     -D debuglevel
             specify a debug level, where the proxy emits verbose debug output
             into syslog(8) at level LOG_DEBUG.  Meaningful values of debu-
             glevel are 0-3, where 0 is no debug output and 3 is lots of debug
             output, the default being 0.

     ftp-proxy is run from inetd(8) and requires that ftp connections are
     redirected to it using an rdr rule.  A typical way to do this would be to
     use a rule such as

     rdr on xl0 from any to any port 21 -> port 8081

     in nat.conf(5) (this example assumes xl0 is the interface facing an in-
     ternal network).  inetd(8) must then be configured to run ftp-proxy on
     the port from above using stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy

     in inetd.conf(5).

     ftp-proxy accepts the redirected control connections and forwards them to
     the server.  The proxy replaces the address and port number that the
     client sends through the control connection to the server with his own
     address and proxy port, where it listens for the data connection.  When
     the server opens the data connection back to this port, the proxy for-
     wards it to the client.  The pf.conf(5) rules need to let pass connec-
     tions to these proxy ports (see options -u, -m and -M above) in on the
     external interface.  The following example allows only ports 49152 to
     65535 to pass in statefully (assuming xl1 is the external interface):

     block in on xl1 proto tcp all
     pass  in on xl1 proto tcp from any to xl1 port > 49151 keep state

     ftp(1), hosts.allow(5), hosts.deny(5), nat.conf(5), pf.conf(5), pfctl(8),

     Extended Passive mode (EPSV) is not supported by the proxy and will not
     work unless the proxy is run in network address translation mode.  When
     not in network address translation mode, the proxy returns an error to
     the client, hopefully forcing the client to revert to Passive mode (PASV)
     which is supported.  EPSV will work in network address translation mode,
     assuming a nat.conf(5) setup which allows the EPSV connections through to
     their destinations.

     IPv6 is not yet supported.

OpenBSD 3.1                      Aug 17, 2001                                2


Want to link to this manual page? Use this URL:

home | help