FTP Proxy

The FTP proxy functions as a relay for the File Transfer Protocol to enable you control connections based upon source and destination addresses and user authentication. It can also limit access to certain file transfer commands, such as put and get, based on source or destination addresses and user authentication.

You can configure the FTP proxy to ask for user authentication as an additional mechanism for controlling access to sites and commands.

FTP Proxy Operation

When the FTP proxy starts, it reads its policy files and then listens on the standard FTP port (port 21) for connections. When a connection is made, the FTP proxy starts a new thread to handle the connection, and the main thread returns to listening for other connections.

The child thread generates an FTP login banner and asks for a user name and password pair. The user name format is proxyuser@server. The password format is proxypass@serverpass, where proxypass is the password for the proxy, and serverpass is the password for the destination FTP server.

The FTP proxy validates the proxyuser name using proxypass as was described previously. The hostname (backend server), given in the USER command after the first @ character, is translated to its IP address using the hostname-to-address translation mechanism configured for and in the context of the FTP proxy. The resulting addresses provide the values to use as matching criteria for the destination addresses in the proxy rules.

The standard proxy rule matching is used (see "Policy Rule Matching"). If a match is found, a connection is established to the FTP server of the user-requested destination. If multiple addresses result from the translation of the user-specified backend server, they are each tried in the order yielded by the name translation mechanism (for example, DNS).

Once a connection to the backend server is established, the proxy attempts to log in using the backend username generated during authentication and using serverpass as the password (see "Proxy User Authentication"). Once the backend user identity is established, commands that are allowed by flags associated with the policy rule in use are relayed, results returned, and files exchanged.

The following example illustrates a session between an FTP connection to a target host (ftp.cdrom.com) using anonymous FTP.

#ftp screen 
Connected to screen
220- Proxy: SunScreen FTP Proxy Version 3.2
	:Username to be given as proxy-user@FTP-server
 	:Password to be given as proxy-user@FTP-server-password@
220 Ready
Name (screen:edison): anonymous@ftp.cdrom.com
331-Proxy: Authenticate & connect
331 Password needed to authenticate 'anonymous'.
Password: [password is not echoed]
	:Authentication mapped 'anonymous' to backend user 'anonymous'.
	:Connecting to ftp.cdrom.com (165.113.121.81) - done
Server: 220 wcarchive.cdrom.com FTP server (Version 2.0) ready
Proxy: Login on server as 'anonymous'.
Server: 331 Password to server.
Proxy: Supplying password to server
230-Server:
230-Welcome to wcarchive - home ftp site for Walnut Creek CD-ROM
230-There are currently 2273 users out of 2750 possible
230 Guest login OK, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.

FTP Proxy and Anonymous FTP

The proxy user anonymous is configured during the installation process as an unauthenticated proxy user. As such, any string provided before the first @ in the password is ignored. The password after the first @ in the password sequence (that is, edison@carter.com) is the backend user password, which, for anonymous FTP, is traditionally the user's email address.

FTP Proxy Use

To use the proxy and make FTP connections, the user must open an FTP connection to the Screen rather than open a direct connection to the end system. The Screen's policy rules only allow FTP connections to and from the FTP proxy.

Other FTP Proxy Issues

The FTP proxy does not permit the PASV command (used for third-party transfers).

The FTP proxy has a 10-minute time-out on the control connection for user requests. The responses from the backend server have only two minutes to arrive before timing out.

The maximum number of concurrent sessions available in the FTP proxy daemon is configurable through the variable N_Sessions. It contains the following items:

• sys=Screen (optional)

• prg=ftpp

• name=N_Sessions

• values=max # of sessions

• description="descriptive text" (optional)

• enabled | disabled (The default is enabled)

As initially installed, a global version of this variable is created that restricts the number of concurrent sessions to 100.

The following is an example of what you would type to display this (initial) variable while logged into the primary Screen:

admin% ssadm -r primary edit Initial
edit> vars print prg=ftpp name=N_Sessions
PRG="ftpp" NAME="N_Sessions" ENABLED VALUE="100" 
DESCRIPTION="limit # of concurrent sessions, FTP proxy" 

You can alter this number of sessions, perhaps to be more restrictive, on a particular Screen.

The following is an example of what you would type to do this while logged into the primary Screen:

edit> vars add sys=Screen prg=httpp name=N_Sessions value=66 
description="limit # of concurrent sessions on the Screen FTP proxy"
edit> quit

By configuring the FTP proxy on a Screen, the actual FTP service into that system becomes unavailable. To avoid confusion, define the destination address of proxy rules to exclude all the addresses of Screens. (You can still FTP out of the Screen, as necessary.)