FTP Proxy

The FTP proxy functions as a relay for the File Transfer Protocol to let you control connections based upon source and destination addresses and user authentication. It can also limit access to certain file transfer commands, such as put and get, based on source or destination addresses and user authentication.

You can configure the FTP proxy to ask for user authentication as an additional mechanism for controlling access to sites and commands.

FTP Proxy Operation

When the FTP proxy starts, it reads its policy files and then listens on the standard FTP port (port 21) for connections. When a connection is made, the FTP proxy starts a new thread to handle the connection, and the main thread returns to listening for other connections.

The child thread generates an FTP login banner and asks for a user name and password pair. The user name format is proxyuser@server. The password format is proxypass@serverpass, where proxypass is the password for the proxy, and serverpass is the password for the destination FTP server.

The FTP proxy validates the proxyuser name using proxypass as was described previously. The hostname (backend server), given in the USER command after the first @ character, is translated to its IP address(es) using the hostname-to-address translation mechanism configured for and in the context of the FTP proxy. The resulting addresses provide the values to use as matching criteria for the destination addresses in the proxy rules.

The standard proxy rule matching (given in the section "Policy Rule Matching") is used. If a match is found, a connection is established to the FTP server of the user-requested destination. If multiple addresses result from the translation of the user-specified backend server, they are each tried in the order yielded by the name translation mechanism (for example, DNS).

Once a connection to the backend server is established, the proxy attempts to log in using the backend username generated during authentication and using serverpass as the password (see "Proxy User Authentication"). Once the backend user identity is established, commands that are allowed by flags associated with the policy rule in use are relayed, results returned, and files exchanged.

The following example illustrates a session between an FTP connection to a target host (ftp.cdrom.com) using anonymous FTP.

 
Connected to screen
 
220- Proxy: SunScreen FTP Proxy Version 3.1
	:Username to be given
as proxy-user@FTP-server
 
	:Password to be given as proxy-pass@FTP-server-pass
220 Ready
Name (screen:edison): anonymous@ftp.cdrom.com
331-Proxy: Authenticate and
connect
331 Password needed to authenticate anonymous.
 
Password:
	:Authentication mapped anonymous to backend user anonymous
 
	:Connecting to ftp.cdrom.com (165.113.121.81) - done
 
Server: 220 wcarchive.cdrom.com FTP server (Version 2.0) ready
 
Proxy: Login on server as anonymous
Server: 331 Guest login OK,
send your email address as password
Proxy: Supplying password
to server
230-Server:
230-Welcome to wcarchive - home
ftp site for Walnut Creek CD-ROM
230-There are currently 2273
users out of 2750 possible
230 Guest login OK, access restrictions
apply

FTP Proxy and Anonymous FTP

The proxy user anonymous is configured during the installation process as an unauthenticated proxy user. As such, any string provided before the first @ in the password is ignored. The password after the first @ in the password sequence (that is, edison@carter.com) is the backend user password, which, for anonymous FTP, is traditionally the user's email address.

FTP Proxy Use

To use the proxy and make FTP connections, the user must open an FTP connection to the Screen (as shown in the preceding example) rather than open a direct connection to the end system. The Screen's policy rules only allow FTP connections to and from the FTP proxy.

Other FTP Proxy Issues

The FTP proxy does not permit the PASV command (used for third-party transfers).

The FTP proxy has a 10-minute time-out on the control connection for user requests. The responses from the backend server have only two minutes to arrive before timing out.

The maximum number of concurrent sessions available in the FTP proxy daemon is configurable through the variable N_Sessions.

It contains the following items:

• sys=Screen (Optional)

• prg=ftpp

• name=N_Sessions

• values=max # of sessions

• description="descriptive text" (Optional)

• enabled | disabled (The default is enabled)

As initially installed, a global version of this variable is created that restricts the number of concurrent sessions to 100.

The following is an example of what you would type to display this (initial) variable while logged in to the primary Screen:

>admin% ssadm -r primary edit Initial
edit> vars print prg=ftpp name=N_Sessions
 
PRG="ftpp" NAME="N_Sessions" ENABLED VALUE="100" DESCRIPTION="limit # of concurrent
sessions, FTP proxy" 

You can alter this number of sessions, perhaps to be more restrictive, on a particular Screen.

The following is an example of what you would type to do this while logged in to the primary Screen:

edit> vars add sys=Screen 
prg=httpp name=N_Sessions value=66 
description="limit # of concurrent sessions on the Screen FTP proxy"
edit> quit

By configuring the FTP proxy on a Screen, the actual FTP service into that system becomes unavailable. To avoid confusion, define the destination address of proxy rules to exclude all the addresses of your Screen or Screens. (You can still FTP out of the Screen, as necessary.)