Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
FTP-PROXY(8)            FreeBSD System Manager's Manual           FTP-PROXY(8)

NAME
     ftp-proxy - Internet File Transfer Protocol proxy server

SYNOPSIS
     ftp-proxy [-AnrVw] [-a address] [-D debuglevel] [-g group] [-M maxport]
               [-m minport] [-t timeout] [-u user]

DESCRIPTION
     ftp-proxy is a proxy for the Internet File Transfer Protocol.  The proxy
     uses pf(4) and expects to have the FTP control connection as described in
     services(5) redirected to it via a pf(4) rdr command.  An example of how
     to do that is further down in this document.

     The options are as follows:

     -A      Permit only anonymous FTP connections.  The proxy will allow
             connections to log in to other sites as the user "ftp" or
             "anonymous" only.  Any attempt to log in as another user will be
             blocked by the proxy.

     -a address
             Specify the local IP address to use in bind(2) as the source for
             connections made by ftp-proxy when connecting to destination FTP
             servers.  This may be necessary if the interface address of your
             default route is not reachable from the destinations ftp-proxy is
             attempting connections to, or this address is different from the
             one connections are being NATed to.  In the usual case this means
             that address should be a publicly visible IP address assigned to
             one of the interfaces on the machine running ftp-proxy and should
             be the same address to which you are translating traffic if you
             are using the -n option.

     -D debuglevel
             Specify a debug level, where the proxy emits verbose debug output
             into syslogd(8) at level LOG_DEBUG.  Meaningful values of
             debuglevel are 0-3, where 0 is no debug output and 3 is lots of
             debug output, the default being 0.

     -g group
             Specify the named group to drop group privileges to, after doing
             pf(4) lookups which require root.  By default, ftp-proxy uses the
             default group of the user it drops privilege to.

     -M maxport
             Specify the upper end of the port range the proxy will use for
             the data connections it establishes.  The default is
             IPPORT_HILASTAUTO defined in <netinet/in.h> as 65535.

     -m minport
             Specify the lower end of the port range the proxy will use for
             all data connections it establishes.  The default is
             IPPORT_HIFIRSTAUTO defined in <netinet/in.h> as 49152.

     -n      Activate network address translation (NAT) mode.  In this mode,
             the proxy will not attempt to proxy passive mode (PASV or EPSV)
             data connections.  In order for this to work, the machine running
             the proxy will need to be forwarding packets and doing network
             address translation to allow the outbound passive connections
             from the client to reach the server.  See pf.conf(5) for more
             details on NAT.  The proxy only ignores passive mode data
             connections when using this flag; it will still proxy PORT and
             EPRT mode data connections.  Without this flag, ftp-proxy does
             not require any IP forwarding or NAT beyond the rdr necessary to
             capture the FTP control connection.

     -r      Use reverse host (reverse DNS) lookups for logging and libwrap
             use.  By default, the proxy does not look up hostnames for
             libwrap or logging purposes.

     -t timeout
             Specifies a timeout, in seconds.  The proxy will exit and close
             open connections if it sees no data for the duration of the
             timeout.  The default is 0, which means the proxy will not time
             out.

     -u user
             Specify the named user to drop privilege to, after doing pf(4)
             lookups which require root privilege.  By default, ftp-proxy
             drops privilege to the user proxy.

             Running as root means that the source of data connections the
             proxy makes for PORT and EPRT will be the RFC mandated port 20.
             When running as a non-root user, the source of the data
             connections from ftp-proxy will be chosen randomly from the range
             minport to maxport as described above.

     -V      Be verbose.  With this option the proxy logs the control commands
             sent by clients and the replies sent by the servers to
             syslogd(8).

     -w      Use the tcp wrapper access control library hosts_access(3),
             allowing connections to be allowed or denied based on the tcp
             wrapper's hosts.allow(5) and hosts.deny(5) files.  The proxy does
             libwrap operations after determining the destination of the
             captured control connection, so that tcp wrapper rules may be
             written based on the destination as well as the source of FTP
             connections.

     ftp-proxy is run from inetd(8) and requires that FTP connections are
     redirected to it using a rdr rule.  A typical way to do this would be to
     use a pf.conf(5) rule such as

       int_if = "xl0"
       rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

     inetd(8) must then be configured to run ftp-proxy on the port from above
     using

       ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy

     in inetd.conf(5).

     ftp-proxy accepts the redirected control connections and forwards them to
     the server.  The proxy replaces the address and port number that the
     client sends through the control connection to the server with its own
     address and proxy port, where it listens for the data connection.  When
     the server opens the data connection back to this port, the proxy
     forwards it to the client.  The pf.conf(5) rules need to let pass
     connections to these proxy ports (see options -u, -m, and -M above) in on
     the external interface.  The following example allows only ports 49152 to
     65535 to pass in statefully:

           block in on $ext_if proto tcp all
           pass  in on $ext_if inet proto tcp from any to $ext_if \
               port > 49151 keep state

     Alternatively, rules can make use of the fact that by default, ftp-proxy
     runs as user "proxy" to allow the backchannel connections, as in the
     following example:

           block in on $ext_if proto tcp all
           pass  in on $ext_if inet proto tcp from any to $ext_if \
               user proxy keep state

     These examples do not cover the connections from the proxy to the foreign
     FTP server.  If one does not pass outgoing connections by default
     additional rules are needed.

SEE ALSO
     ftp(1), pf(4), hosts.allow(5), hosts.deny(5), inetd.conf(5), pf.conf(5),
     inetd(8), pfctl(8), syslogd(8)

BUGS
     Extended Passive mode (EPSV) is not supported by the proxy and will not
     work unless the proxy is run in network address translation mode.  When
     not in network address translation mode, the proxy returns an error to
     the client, hopefully forcing the client to revert to passive mode (PASV)
     which is supported.  EPSV will work in network address translation mode,
     assuming a pf.conf(5) setup which allows the EPSV connections through to
     their destinations.

     IPv6 is not yet supported.

FreeBSD 11.0-PRERELEASE         August 17, 2001        FreeBSD 11.0-PRERELEASE

NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ftp-proxy&sektion=8&manpath=FreeBSD+5.3-RELEASE>

home | help