ftp-proxy - Internet File Transfer Protocol proxy daemon
ftp-proxy [-A on | off] [-a address] [-b address] [-D level] [-m maxsessions] [-P port] [-p port] [-R address] [-r on | off] [-T tag] [-t timeout] [-v all | on | off]
FTP-PROXY(8) BSD System Manager's Manual FTP-PROXY(8)
NAME
ftp-proxy -- Internet File Transfer Protocol proxy daemon
SYNOPSIS
ftp-proxy [-A on | off] [-a address] [-b address] [-D level]
[-m maxsessions] [-P port] [-p port] [-R address] [-r on | off]
[-T tag] [-t timeout] [-v all | on | off]
DESCRIPTION
ftp-proxy is a proxy for the Internet File Transfer Protocol making con-
nections over IPv4 NAT possible. FTP control connections should be redi-
rected into the proxy using the PF rdr-to command, after which the proxy
connects to the server on behalf of the client.
The proxy allows data connections to pass, rewriting and redirecting them
so that the right addresses are used. All connections from the client to
the server have their source address rewritten so they appear to come
from the proxy. Consequently, all connections from the server to the
proxy have their destination address rewritten, so they are redirected to
the client. The proxy uses the PF anchor facility for this.
Assuming the FTP control connection is from $client to $server, the proxy
is connected to the server using the $proxy source address, and $port is
negotiated, the ftp-proxy adds the following rules to the anchor.
$server and $orig_server are the same unless -R is used to force a dif-
ferent $server address for all connections.
In case of active mode (PORT):
pass in from $server to $proxy port $proxy_port \
rdr-to $client port $port
pass out from $server to $client port $port \
nat-to $orig_server port $natport
In case of passive mode (PASV):
pass in from $client to $orig_server port $proxy_port \
rdr-to $server port $port
pass out from $client to $server port $port nat-to $proxy
The options are as follows:
-A Only permit anonymous FTP connections. Either user "ftp" or user
"anonymous" is allowed. Solaris Note: you need to specify on |
off to enable/disable anonymous-only mode.
-a address
The proxy will use this as the source address for the control
connection to a server.
-b address
Address where the proxy will listen for redirected control con-
nections. The default is 127.0.0.1.
-D level
Debug level, ranging from 0 to 7. Higher is more verbose. The
default is 5.
-m maxsessions
Maximum number of concurrent FTP sessions. When the proxy
reaches this limit, new connections are denied. The default is
100 sessions. The limit can be lowered to a minimum of 1, or
raised to a maximum of 500.
-P port
Fixed server port. Only used in combination with -R. The
default is port 21.
-p port
Port where the proxy will listen for redirected connections. The
default is port 8021.
-R address
Fixed server address, also known as reverse mode. The proxy will
always connect to the same server, regardless of where the client
wanted to connect to (before it was redirected). Use this option
to proxy for a server behind NAT, or to forward all connections
to another proxy.
-r Rewrite sourceport to 20 in active mode to suit ancient clients
that insist on this RFC property. Solaris Note: you need to
specify on | off to enable/disable RFC compliant mode.
-T tag The filter rules will add tag tag to data connections, and will
use match rules instead of pass ones. This way alternative rules
that use the tagged keyword can be implemented following the
ftp-proxy anchor. These rules can use special PF features like
route-to, reply-to, label, overload, etc. that ftp-proxy does not
implement itself. There must be a matching pass rule after the
ftp-proxy anchor or the data connections will be blocked.
-t timeout
Number of seconds that the control connection can be idle, before
the proxy will disconnect. The maximum is 86400 seconds, which
is also the default. Do not set this too low, because the con-
trol connection is usually idle when large data transfers are
taking place.
-v Set the 'log' flag on pf rules committed by ftp-proxy. Use twice
to set the `log all' flag. The pf rules do not log by default.
Solaris Note: the option is tri-state. You need to specify one
of the values below:
off nothing is logged
on log only packets, which create state for data session
(equivalent to -v on OpenBSD)
all log all packets, which belong to data session (equivalent
to -vv on OpenBSD)
CONFIGURATION
To make use of the proxy, pf.conf(5) needs the following rules. Adjust
the rules as needed; depending on the rest of the ruleset, the last rule
explicitly allowing FTP sessions from the proxy may not be necessary.
anchor "network:firewall:ftp-proxy:YOUR_INSTANCE_NAME/*"
pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass out inet proto tcp from (self) to any port ftp
Substitute YOUR_INSTANCE_NAME with instance name SMF uses. For default
instance it should read as follows:
anchor "network:firewall:ftp-proxy:default/*"
SOLARIS
ftp-proxy must be started as an smf(7) service:
svc:/network/firewall/ftp-proxy
To run ftp-proxy in a non-global zone, the
svc:/network/socket-filter:pf_divert
instance must be online in the global zone.
The options described in DESCRIPTION section are set using smf proper-
ties. Properties processed by ftp-proxy enable smf_method(7) in order to
configure the ftp-proxy daemon are listed below.
ftp-proxy/anonymous-only If set to on the proxy is started
with the -A option, which allows
anonymous FTP logins only. The
value off is used as default.
ftp-proxy/proxy-NAT-address This property sets the -a option,
the source IP address the proxy
uses to connect to a server.
ftp-proxy/proxy-listen-address This property sets the -b option,
which is the address, where the
proxy accepts a connection from a
client.
ftp-proxy/proxy-listen-port This property sets the -p option
which is the port number, where
the proxy accepts a connection
from a client.
ftp-proxy/debug-level This property sets the -D option,
which is a debug level (0-7). If
not set, the default value 5 is
used.
ftp-proxy/max-sessions This property sets the -m option,
which is the maximum of concurrent
FTP sessions served by the proxy.
The valid range is from 1 to 500.
If not specified the value 100 is
used by default.
ftp-proxy/reverse-mode-address This property sets the -R option.
It is the fixed server address,
which is typically used to access
a FTP server behind NAT.
ftp-proxy/reverse-mode-port This property sets the -P option,
which is the port number used by a
FTP server behind NAT. The
default value is 21.
ftp-proxy/always-use-ftp-data-port This property sets the -r option,
the value off is used as default.
If set to on the proxy will always
use port 20 for active data con-
nections.
ftp-proxy/tag This property sets the -T option,
which tags data connection packets
with the desired tag.
ftp-proxy/timeout This property sets the -t option,
which specifies the number of sec-
onds a FTP command session may
remain idle. The maximum value is
86400 seconds (1 day).
ftp-proxy/log This property sets the -v option.
There are three possible values.
For off, no log action will be
added to FTP data connection rules
created by the proxy. The value
on adds the log action. Specify-
ing the value all adds the `log
all' action.
ftp-proxy on Solaris comes with two extra options, which make service
configuration easier.
-c smf-instance
Shows/changes settings kept in smf(7) repository for the
specified smf-instance of the ftp-proxy service.
-C smf-instance
Creates a new instance of the ftp-proxy service and uses
smf-instance for its name.
To tell proxy service to bind the listen socket to 192.168.1.2 address,
one has to use the command below:
ftp-proxy -c default -b 192.168.1.2
To create anonymous-only proxy listening to port 8821, bound to
192.168.1.2, one uses the command as follows:
ftp-proxy -C anonymous -b 192.168.1.2 -p 8821 -A on
To switch the anonymous instance created above to the regular mode (dis-
able anonymous-only), one uses the command like this:
ftp-proxy -c anonymous -A off
To display the anonymous instance configuration use the command as fol-
lows:
ftp-proxy -c anonymous
To manage the service, you need the solaris.smf.manage.network.firewall
authorization. To configure service instances, you need the
solaris.smf.value.network.firewall authorization. Both these authoriza-
tions are granted through the Network Firewall Management profile. To
create new service instances, you need the solaris.smf.modify authoriza-
tion.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+---------------+-------------------------------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+-------------------------------------+
|Availability | network/firewall/firewall-ftp-proxy |
+---------------+-------------------------------------+
|Stability | Volatile |
+---------------+-------------------------------------+
SEE ALSO
pf.conf(5), smf(7), svccfg((1M))
CAVEATS
Negotiated data connection ports below 1024 are not allowed.
The negotiated IP address for active modes is ignored for security rea-
sons. This makes third party file transfers impossible.
ftp-proxy runs as the ``daemon'' user.
NOTES
Source code for open source software components in Oracle Solaris can be
found at https://www.oracle.com/downloads/opensource/solaris-source-code-
downloads.html.
This software was built from source available at https://github.com/ora-
cle/solaris-userland. The original community source was downloaded from
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ftp-proxy/.
Further information about this software can be found on the open source
community website at http://www.openbsd.org.
BSD June 25, 2012 BSD