ftp-proxy - Internet File Transfer Protocol proxy daemon
ftp-proxy [-A on | off] [-a address] [-b address] [-D level] [-m maxsessions] [-P port] [-p port] [-R address] [-r on | off] [-T tag] [-t timeout] [-v all | on | off]
FTP-PROXY(8) BSD System Manager's Manual FTP-PROXY(8) NAME ftp-proxy -- Internet File Transfer Protocol proxy daemon SYNOPSIS ftp-proxy [-A on | off] [-a address] [-b address] [-D level] [-m maxsessions] [-P port] [-p port] [-R address] [-r on | off] [-T tag] [-t timeout] [-v all | on | off] DESCRIPTION ftp-proxy is a proxy for the Internet File Transfer Protocol making con- nections over IPv4 NAT possible. FTP control connections should be redi- rected into the proxy using the PF rdr-to command, after which the proxy connects to the server on behalf of the client. The proxy allows data connections to pass, rewriting and redirecting them so that the right addresses are used. All connections from the client to the server have their source address rewritten so they appear to come from the proxy. Consequently, all connections from the server to the proxy have their destination address rewritten, so they are redirected to the client. The proxy uses the PF anchor facility for this. Assuming the FTP control connection is from $client to $server, the proxy is connected to the server using the $proxy source address, and $port is negotiated, the ftp-proxy adds the following rules to the anchor. $server and $orig_server are the same unless -R is used to force a dif- ferent $server address for all connections. In case of active mode (PORT): pass in from $server to $proxy port $proxy_port \ rdr-to $client port $port pass out from $server to $client port $port \ nat-to $orig_server port $natport In case of passive mode (PASV): pass in from $client to $orig_server port $proxy_port \ rdr-to $server port $port pass out from $client to $server port $port nat-to $proxy The options are as follows: -A Only permit anonymous FTP connections. Either user "ftp" or user "anonymous" is allowed. Solaris Note: you need to specify on | off to enable/disable anonymous-only mode. -a address The proxy will use this as the source address for the control connection to a server. -b address Address where the proxy will listen for redirected control con- nections. The default is 127.0.0.1. -D level Debug level, ranging from 0 to 7. Higher is more verbose. The default is 5. -m maxsessions Maximum number of concurrent FTP sessions. When the proxy reaches this limit, new connections are denied. The default is 100 sessions. The limit can be lowered to a minimum of 1, or raised to a maximum of 500. -P port Fixed server port. Only used in combination with -R. The default is port 21. -p port Port where the proxy will listen for redirected connections. The default is port 8021. -R address Fixed server address, also known as reverse mode. The proxy will always connect to the same server, regardless of where the client wanted to connect to (before it was redirected). Use this option to proxy for a server behind NAT, or to forward all connections to another proxy. -r Rewrite sourceport to 20 in active mode to suit ancient clients that insist on this RFC property. Solaris Note: you need to specify on | off to enable/disable RFC compliant mode. -T tag The filter rules will add tag tag to data connections, and will use match rules instead of pass ones. This way alternative rules that use the tagged keyword can be implemented following the ftp-proxy anchor. These rules can use special PF features like route-to, reply-to, label, overload, etc. that ftp-proxy does not implement itself. There must be a matching pass rule after the ftp-proxy anchor or the data connections will be blocked. -t timeout Number of seconds that the control connection can be idle, before the proxy will disconnect. The maximum is 86400 seconds, which is also the default. Do not set this too low, because the con- trol connection is usually idle when large data transfers are taking place. -v Set the 'log' flag on pf rules committed by ftp-proxy. Use twice to set the `log all' flag. The pf rules do not log by default. Solaris Note: the option is tri-state. You need to specify one of the values below: off nothing is logged on log only packets, which create state for data session (equivalent to -v on OpenBSD) all log all packets, which belong to data session (equivalent to -vv on OpenBSD) CONFIGURATION To make use of the proxy, pf.conf(5) needs the following rules. Adjust the rules as needed; depending on the rest of the ruleset, the last rule explicitly allowing FTP sessions from the proxy may not be necessary. anchor "network:firewall:ftp-proxy:YOUR_INSTANCE_NAME/*" pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass out inet proto tcp from (self) to any port ftp Substitute YOUR_INSTANCE_NAME with instance name SMF uses. For default instance it should read as follows: anchor "network:firewall:ftp-proxy:default/*" SOLARIS ftp-proxy must be started as an smf(7) service: svc:/network/firewall/ftp-proxy To run ftp-proxy in a non-global zone, the svc:/network/socket-filter:pf_divert instance must be online in the global zone. The options described in DESCRIPTION section are set using smf proper- ties. Properties processed by ftp-proxy enable smf_method(7) in order to configure the ftp-proxy daemon are listed below. ftp-proxy/anonymous-only If set to on the proxy is started with the -A option, which allows anonymous FTP logins only. The value off is used as default. ftp-proxy/proxy-NAT-address This property sets the -a option, the source IP address the proxy uses to connect to a server. ftp-proxy/proxy-listen-address This property sets the -b option, which is the address, where the proxy accepts a connection from a client. ftp-proxy/proxy-listen-port This property sets the -p option which is the port number, where the proxy accepts a connection from a client. ftp-proxy/debug-level This property sets the -D option, which is a debug level (0-7). If not set, the default value 5 is used. ftp-proxy/max-sessions This property sets the -m option, which is the maximum of concurrent FTP sessions served by the proxy. The valid range is from 1 to 500. If not specified the value 100 is used by default. ftp-proxy/reverse-mode-address This property sets the -R option. It is the fixed server address, which is typically used to access a FTP server behind NAT. ftp-proxy/reverse-mode-port This property sets the -P option, which is the port number used by a FTP server behind NAT. The default value is 21. ftp-proxy/always-use-ftp-data-port This property sets the -r option, the value off is used as default. If set to on the proxy will always use port 20 for active data con- nections. ftp-proxy/tag This property sets the -T option, which tags data connection packets with the desired tag. ftp-proxy/timeout This property sets the -t option, which specifies the number of sec- onds a FTP command session may remain idle. The maximum value is 86400 seconds (1 day). ftp-proxy/log This property sets the -v option. There are three possible values. For off, no log action will be added to FTP data connection rules created by the proxy. The value on adds the log action. Specify- ing the value all adds the `log all' action. ftp-proxy on Solaris comes with two extra options, which make service configuration easier. -c smf-instance Shows/changes settings kept in smf(7) repository for the specified smf-instance of the ftp-proxy service. -C smf-instance Creates a new instance of the ftp-proxy service and uses smf-instance for its name. To tell proxy service to bind the listen socket to 192.168.1.2 address, one has to use the command below: ftp-proxy -c default -b 192.168.1.2 To create anonymous-only proxy listening to port 8821, bound to 192.168.1.2, one uses the command as follows: ftp-proxy -C anonymous -b 192.168.1.2 -p 8821 -A on To switch the anonymous instance created above to the regular mode (dis- able anonymous-only), one uses the command like this: ftp-proxy -c anonymous -A off To display the anonymous instance configuration use the command as fol- lows: ftp-proxy -c anonymous To manage the service, you need the solaris.smf.manage.network.firewall authorization. To configure service instances, you need the solaris.smf.value.network.firewall authorization. Both these authoriza- tions are granted through the Network Firewall Management profile. To create new service instances, you need the solaris.smf.modify authoriza- tion. ATTRIBUTES See attributes(7) for descriptions of the following attributes: +---------------+-------------------------------------+ |ATTRIBUTE TYPE | ATTRIBUTE VALUE | +---------------+-------------------------------------+ |Availability | network/firewall/firewall-ftp-proxy | +---------------+-------------------------------------+ |Stability | Volatile | +---------------+-------------------------------------+ SEE ALSO pf.conf(5), smf(7), svccfg((1M)) CAVEATS Negotiated data connection ports below 1024 are not allowed. The negotiated IP address for active modes is ignored for security rea- sons. This makes third party file transfers impossible. ftp-proxy runs as the ``daemon'' user. NOTES Source code for open source software components in Oracle Solaris can be found at https://www.oracle.com/downloads/opensource/solaris-source-code- downloads.html. This software was built from source available at https://github.com/ora- cle/solaris-userland. The original community source was downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ftp-proxy/. Further information about this software can be found on the open source community website at http://www.openbsd.org. BSD June 25, 2012 BSD