Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

ftp-proxy (8)

Name

ftp-proxy - Internet File Transfer Protocol proxy daemon

Synopsis

ftp-proxy [-A on | off] [-a address] [-b address] [-D level]
[-m maxsessions] [-P port] [-p port] [-R address] [-r on | off]
[-T tag] [-t timeout] [-v all | on | off]

Description

FTP-PROXY(8)              BSD System Manager's Manual             FTP-PROXY(8)

NAME
     ftp-proxy -- Internet File Transfer Protocol proxy daemon

SYNOPSIS
     ftp-proxy [-A on | off] [-a address] [-b address] [-D level]
               [-m maxsessions] [-P port] [-p port] [-R address] [-r on | off]
               [-T tag] [-t timeout] [-v all | on | off]

DESCRIPTION
     ftp-proxy is a proxy for the Internet File Transfer Protocol making con-
     nections over IPv4 NAT possible.  FTP control connections should be redi-
     rected into the proxy using the PF rdr-to command, after which the proxy
     connects to the server on behalf of the client.

     The proxy allows data connections to pass, rewriting and redirecting them
     so that the right addresses are used.  All connections from the client to
     the server have their source address rewritten so they appear to come
     from the proxy.  Consequently, all connections from the server to the
     proxy have their destination address rewritten, so they are redirected to
     the client.  The proxy uses the PF anchor facility for this.

     Assuming the FTP control connection is from $client to $server, the proxy
     is connected to the server using the $proxy source address, and $port is
     negotiated, the ftp-proxy adds the following rules to the anchor.
     $server and $orig_server are the same unless -R is used to force a dif-
     ferent $server address for all connections.

     In case of active mode (PORT):

       pass in from $server to $proxy port $proxy_port \
           rdr-to $client port $port
       pass out from $server to $client port $port \
           nat-to $orig_server port $natport

     In case of passive mode (PASV):

       pass in from $client to $orig_server port $proxy_port \
           rdr-to $server port $port
       pass out from $client to $server port $port nat-to $proxy

     The options are as follows:

     -A      Only permit anonymous FTP connections.  Either user "ftp" or user
             "anonymous" is allowed.  Solaris Note: you need to specify on |
             off to enable/disable anonymous-only mode.

     -a address
             The proxy will use this as the source address for the control
             connection to a server.

     -b address
             Address where the proxy will listen for redirected control con-
             nections.  The default is 127.0.0.1.

     -D level
             Debug level, ranging from 0 to 7.  Higher is more verbose.  The
             default is 5.

     -m maxsessions
             Maximum number of concurrent FTP sessions.  When the proxy
             reaches this limit, new connections are denied.  The default is
             100 sessions.  The limit can be lowered to a minimum of 1, or
             raised to a maximum of 500.

     -P port
             Fixed server port.  Only used in combination with -R.  The
             default is port 21.

     -p port
             Port where the proxy will listen for redirected connections.  The
             default is port 8021.

     -R address
             Fixed server address, also known as reverse mode.  The proxy will
             always connect to the same server, regardless of where the client
             wanted to connect to (before it was redirected).  Use this option
             to proxy for a server behind NAT, or to forward all connections
             to another proxy.

     -r      Rewrite sourceport to 20 in active mode to suit ancient clients
             that insist on this RFC property.  Solaris Note: you need to
             specify on | off to enable/disable RFC compliant mode.

     -T tag  The filter rules will add tag tag to data connections, and will
             use match rules instead of pass ones.  This way alternative rules
             that use the tagged keyword can be implemented following the
             ftp-proxy anchor.  These rules can use special PF features like
             route-to, reply-to, label, overload, etc. that ftp-proxy does not
             implement itself.  There must be a matching pass rule after the
             ftp-proxy anchor or the data connections will be blocked.

     -t timeout
             Number of seconds that the control connection can be idle, before
             the proxy will disconnect.  The maximum is 86400 seconds, which
             is also the default.  Do not set this too low, because the con-
             trol connection is usually idle when large data transfers are
             taking place.

     -v      Set the 'log' flag on pf rules committed by ftp-proxy.  Use twice
             to set the `log all' flag.  The pf rules do not log by default.
             Solaris Note: the option is tri-state.  You need to specify one
             of the values below:
                off  nothing is logged
                on   log only packets, which create state for data session
                     (equivalent to -v on OpenBSD)
                all  log all packets, which belong to data session (equivalent
                     to -vv on OpenBSD)

CONFIGURATION
     To make use of the proxy, pf.conf(5) needs the following rules.  Adjust
     the rules as needed; depending on the rest of the ruleset, the last rule
     explicitly allowing FTP sessions from the proxy may not be necessary.

       anchor "network:firewall:ftp-proxy:YOUR_INSTANCE_NAME/*"
       pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021
       pass out inet proto tcp from (self) to any port ftp

     Substitute YOUR_INSTANCE_NAME with instance name SMF uses. For default
     instance it should read as follows:

       anchor "network:firewall:ftp-proxy:default/*"

SOLARIS
     ftp-proxy must be started as an smf(7) service:

           svc:/network/firewall/ftp-proxy

     To run ftp-proxy in a non-global zone, the

           svc:/network/socket-filter:pf_divert
     instance must be online in the global zone.

     The options described in DESCRIPTION section are set using smf proper-
     ties.  Properties processed by ftp-proxy enable smf_method(7) in order to
     configure the ftp-proxy daemon are listed below.
        ftp-proxy/anonymous-only            If set to on the proxy is started
                                            with the -A option, which allows
                                            anonymous FTP logins only.  The
                                            value off is used as default.
        ftp-proxy/proxy-NAT-address         This property sets the -a option,
                                            the source IP address the proxy
                                            uses to connect to a server.
        ftp-proxy/proxy-listen-address      This property sets the -b option,
                                            which is the address, where the
                                            proxy accepts a connection from a
                                            client.
        ftp-proxy/proxy-listen-port         This property sets the -p option
                                            which is the port number, where
                                            the proxy accepts a connection
                                            from a client.
        ftp-proxy/debug-level               This property sets the -D option,
                                            which is a debug level (0-7).  If
                                            not set, the default value 5 is
                                            used.
        ftp-proxy/max-sessions              This property sets the -m option,
                                            which is the maximum of concurrent
                                            FTP sessions served by the proxy.
                                            The valid range is from 1 to 500.
                                            If not specified the value 100 is
                                            used by default.
        ftp-proxy/reverse-mode-address      This property sets the -R option.
                                            It is the fixed server address,
                                            which is typically used to access
                                            a FTP server behind NAT.
        ftp-proxy/reverse-mode-port         This property sets the -P option,
                                            which is the port number used by a
                                            FTP server behind NAT.  The
                                            default value is 21.
        ftp-proxy/always-use-ftp-data-port  This property sets the -r option,
                                            the value off is used as default.
                                            If set to on the proxy will always
                                            use port 20 for active data con-
                                            nections.
        ftp-proxy/tag                       This property sets the -T option,
                                            which tags data connection packets
                                            with the desired tag.
        ftp-proxy/timeout                   This property sets the -t option,
                                            which specifies the number of sec-
                                            onds a FTP command session may
                                            remain idle.  The maximum value is
                                            86400 seconds (1 day).
        ftp-proxy/log                       This property sets the -v option.
                                            There are three possible values.
                                            For off, no log action will be
                                            added to FTP data connection rules
                                            created by the proxy.  The value
                                            on adds the log action.  Specify-
                                            ing the value all adds the `log
                                            all' action.

     ftp-proxy on Solaris comes with two extra options, which make service
     configuration easier.
        -c smf-instance
                    Shows/changes settings kept in smf(7) repository for the
                    specified smf-instance of the ftp-proxy service.
        -C smf-instance
                    Creates a new instance of the ftp-proxy service and uses
                    smf-instance for its name.

     To tell proxy service to bind the listen socket to 192.168.1.2 address,
     one has to use the command below:

           ftp-proxy -c default -b 192.168.1.2

     To create anonymous-only proxy listening to port 8821, bound to
     192.168.1.2, one uses the command as follows:

           ftp-proxy -C anonymous -b 192.168.1.2 -p 8821 -A on

     To switch the anonymous instance created above to the regular mode (dis-
     able anonymous-only), one uses the command like this:

           ftp-proxy -c anonymous -A off

     To display the anonymous instance configuration use the command as fol-
     lows:

           ftp-proxy -c anonymous
     To manage the service, you need the solaris.smf.manage.network.firewall
     authorization.  To configure service instances, you need the
     solaris.smf.value.network.firewall authorization.  Both these authoriza-
     tions are granted through the Network Firewall Management profile.  To
     create new service instances, you need the solaris.smf.modify authoriza-
     tion.

     See for descriptions of the following attributes:

     +---------------+-------------------------------------+
     |ATTRIBUTE TYPE |          ATTRIBUTE VALUE            |
     +---------------+-------------------------------------+
     |Availability   | network/firewall/firewall-ftp-proxy |
     +---------------+-------------------------------------+
     |Stability      | Volatile                            |
     +---------------+-------------------------------------+
SEE ALSO
     pf.conf(5), smf(7), svccfg((1M))

CAVEATS
     Negotiated data connection ports below 1024 are not allowed.

     The negotiated IP address for active modes is ignored for security rea-
     sons.  This makes third party file transfers impossible.

     ftp-proxy runs as the ``daemon'' user.



     This software was built from source available at https://github.com/ora-
     cle/solaris-userland.  The original community source was downloaded from
     http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ftp-proxy/

     Further information about this software can be found on the open source
     community website at http://www.openbsd.org.

BSD                              June 25, 2012                             BSD