xref: /freebsd/contrib/pf/ftp-proxy/ftp-proxy.8 (revision 935205e2307611615ed5a7fe0a32b225ffd8c19c)
1*e0bfbfceSBjoern A. Zeeb.\"	$OpenBSD: ftp-proxy.8,v 1.11 2008/02/26 18:52:53 henning Exp $
213b9f610SMax Laier.\"
35ee7cd21SMax Laier.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
413b9f610SMax Laier.\"
55ee7cd21SMax Laier.\" Permission to use, copy, modify, and distribute this software for any
65ee7cd21SMax Laier.\" purpose with or without fee is hereby granted, provided that the above
75ee7cd21SMax Laier.\" copyright notice and this permission notice appear in all copies.
813b9f610SMax Laier.\"
95ee7cd21SMax Laier.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
105ee7cd21SMax Laier.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
115ee7cd21SMax Laier.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
125ee7cd21SMax Laier.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
135ee7cd21SMax Laier.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
145ee7cd21SMax Laier.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
155ee7cd21SMax Laier.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1613b9f610SMax Laier.\"
17abbfafd2SMax Laier.\" $FreeBSD$
18abbfafd2SMax Laier.\"
19*e0bfbfceSBjoern A. Zeeb.Dd February 26, 2008
2013b9f610SMax Laier.Dt FTP-PROXY 8
2113b9f610SMax Laier.Os
2213b9f610SMax Laier.Sh NAME
2313b9f610SMax Laier.Nm ftp-proxy
245ee7cd21SMax Laier.Nd Internet File Transfer Protocol proxy daemon
2513b9f610SMax Laier.Sh SYNOPSIS
26*e0bfbfceSBjoern A. Zeeb.Nm
27*e0bfbfceSBjoern A. Zeeb.Bk -words
285ee7cd21SMax Laier.Op Fl 6Adrv
2922ac3eadSMax Laier.Op Fl a Ar address
305ee7cd21SMax Laier.Op Fl b Ar address
315ee7cd21SMax Laier.Op Fl D Ar level
325ee7cd21SMax Laier.Op Fl m Ar maxsessions
335ee7cd21SMax Laier.Op Fl P Ar port
345ee7cd21SMax Laier.Op Fl p Ar port
355ee7cd21SMax Laier.Op Fl q Ar queue
365ee7cd21SMax Laier.Op Fl R Ar address
37*e0bfbfceSBjoern A. Zeeb.Op Fl T Ar tag
3813b9f610SMax Laier.Op Fl t Ar timeout
39*e0bfbfceSBjoern A. Zeeb.Ek
4013b9f610SMax Laier.Sh DESCRIPTION
4113b9f610SMax Laier.Nm
4213b9f610SMax Laieris a proxy for the Internet File Transfer Protocol.
435ee7cd21SMax LaierFTP control connections should be redirected into the proxy using the
4413b9f610SMax Laier.Xr pf 4
455ee7cd21SMax Laier.Ar rdr
465ee7cd21SMax Laiercommand, after which the proxy connects to the server on behalf of
475ee7cd21SMax Laierthe client.
485ee7cd21SMax Laier.Pp
495ee7cd21SMax LaierThe proxy allows data connections to pass, rewriting and redirecting
505ee7cd21SMax Laierthem so that the right addresses are used.
515ee7cd21SMax LaierAll connections from the client to the server have their source
525ee7cd21SMax Laieraddress rewritten so they appear to come from the proxy.
535ee7cd21SMax LaierConsequently, all connections from the server to the proxy have
545ee7cd21SMax Laiertheir destination address rewritten, so they are redirected to the
555ee7cd21SMax Laierclient.
565ee7cd21SMax LaierThe proxy uses the
5713b9f610SMax Laier.Xr pf 4
585ee7cd21SMax Laier.Ar anchor
595ee7cd21SMax Laierfacility for this.
605ee7cd21SMax Laier.Pp
615ee7cd21SMax LaierAssuming the FTP control connection is from $client to $server, the
625ee7cd21SMax Laierproxy connected to the server using the $proxy source address, and
635ee7cd21SMax Laier$port is negotiated, then
64*e0bfbfceSBjoern A. Zeeb.Nm
655ee7cd21SMax Laieradds the following rules to the various anchors.
665ee7cd21SMax Laier(These example rules use inet, but the proxy also supports inet6.)
675ee7cd21SMax Laier.Pp
685ee7cd21SMax LaierIn case of active mode (PORT or EPRT):
695ee7cd21SMax Laier.Bd -literal -offset 2n
705ee7cd21SMax Laierrdr from $server to $proxy port $port -> $client
715ee7cd21SMax Laierpass quick inet proto tcp \e
725ee7cd21SMax Laier    from $server to $client port $port
735ee7cd21SMax Laier.Ed
745ee7cd21SMax Laier.Pp
755ee7cd21SMax LaierIn case of passive mode (PASV or EPSV):
765ee7cd21SMax Laier.Bd -literal -offset 2n
775ee7cd21SMax Laiernat from $client to $server port $port -> $proxy
785ee7cd21SMax Laierpass in quick inet proto tcp \e
795ee7cd21SMax Laier    from $client to $server port $port
805ee7cd21SMax Laierpass out quick inet proto tcp \e
815ee7cd21SMax Laier    from $proxy to $server port $port
825ee7cd21SMax Laier.Ed
8313b9f610SMax Laier.Pp
8413b9f610SMax LaierThe options are as follows:
8513b9f610SMax Laier.Bl -tag -width Ds
865ee7cd21SMax Laier.It Fl 6
875ee7cd21SMax LaierIPv6 mode.
885ee7cd21SMax LaierThe proxy will expect and use IPv6 addresses for all communication.
895ee7cd21SMax LaierOnly the extended FTP modes EPSV and EPRT are allowed with IPv6.
905ee7cd21SMax LaierThe proxy is in IPv4 mode by default.
9113b9f610SMax Laier.It Fl A
925ee7cd21SMax LaierOnly permit anonymous FTP connections.
935ee7cd21SMax LaierEither user "ftp" or user "anonymous" is allowed.
9422ac3eadSMax Laier.It Fl a Ar address
955ee7cd21SMax LaierThe proxy will use this as the source address for the control
965ee7cd21SMax Laierconnection to a server.
975ee7cd21SMax Laier.It Fl b Ar address
985ee7cd21SMax LaierAddress where the proxy will listen for redirected control connections.
995ee7cd21SMax LaierThe default is 127.0.0.1, or ::1 in IPv6 mode.
1005ee7cd21SMax Laier.It Fl D Ar level
1015ee7cd21SMax LaierDebug level, ranging from 0 to 7.
1025ee7cd21SMax LaierHigher is more verbose.
1035ee7cd21SMax LaierThe default is 5.
1045ee7cd21SMax Laier(These levels correspond to the
1055ee7cd21SMax Laier.Xr syslog 3
1065ee7cd21SMax Laierlevels.)
1075ee7cd21SMax Laier.It Fl d
1085ee7cd21SMax LaierDo not daemonize.
1095ee7cd21SMax LaierThe process will stay in the foreground, logging to standard error.
1105ee7cd21SMax Laier.It Fl m Ar maxsessions
1115ee7cd21SMax LaierMaximum number of concurrent FTP sessions.
1125ee7cd21SMax LaierWhen the proxy reaches this limit, new connections are denied.
1135ee7cd21SMax LaierThe default is 100 sessions.
1145ee7cd21SMax LaierThe limit can be lowered to a minimum of 1, or raised to a maximum of 500.
1155ee7cd21SMax Laier.It Fl P Ar port
1165ee7cd21SMax LaierFixed server port.
1175ee7cd21SMax LaierOnly used in combination with
1185ee7cd21SMax Laier.Fl R .
1195ee7cd21SMax LaierThe default is port 21.
1205ee7cd21SMax Laier.It Fl p Ar port
1215ee7cd21SMax LaierPort where the proxy will listen for redirected connections.
1225ee7cd21SMax LaierThe default is port 8021.
1235ee7cd21SMax Laier.It Fl q Ar queue
1245ee7cd21SMax LaierCreate rules with queue
1255ee7cd21SMax Laier.Ar queue
1265ee7cd21SMax Laierappended, so that data connections can be queued.
1275ee7cd21SMax Laier.It Fl R Ar address
1285ee7cd21SMax LaierFixed server address, also known as reverse mode.
1295ee7cd21SMax LaierThe proxy will always connect to the same server, regardless of
1305ee7cd21SMax Laierwhere the client wanted to connect to (before it was redirected).
1315ee7cd21SMax LaierUse this option to proxy for a server behind NAT, or to forward all
1325ee7cd21SMax Laierconnections to another proxy.
13313b9f610SMax Laier.It Fl r
1345ee7cd21SMax LaierRewrite sourceport to 20 in active mode to suit ancient clients that insist
1355ee7cd21SMax Laieron this RFC property.
136*e0bfbfceSBjoern A. Zeeb.It Fl T Ar tag
137*e0bfbfceSBjoern A. ZeebThe filter rules will add tag
138*e0bfbfceSBjoern A. Zeeb.Ar tag
139*e0bfbfceSBjoern A. Zeebto data connections, and not match quick.
140*e0bfbfceSBjoern A. ZeebThis way alternative rules that use the
141*e0bfbfceSBjoern A. Zeeb.Ar tagged
142*e0bfbfceSBjoern A. Zeebkeyword can be implemented following the
143*e0bfbfceSBjoern A. Zeeb.Nm
144*e0bfbfceSBjoern A. Zeebanchor.
145*e0bfbfceSBjoern A. ZeebThese rules can use special
146*e0bfbfceSBjoern A. Zeeb.Xr pf 4
147*e0bfbfceSBjoern A. Zeebfeatures like route-to, reply-to, label, rtable, overload, etc. that
148*e0bfbfceSBjoern A. Zeeb.Nm
149*e0bfbfceSBjoern A. Zeebdoes not implement itself.
15013b9f610SMax Laier.It Fl t Ar timeout
1515ee7cd21SMax LaierNumber of seconds that the control connection can be idle, before the
1525ee7cd21SMax Laierproxy will disconnect.
1535ee7cd21SMax LaierThe maximum is 86400 seconds, which is also the default.
1545ee7cd21SMax LaierDo not set this too low, because the control connection is usually
1555ee7cd21SMax Laieridle when large data transfers are taking place.
1565ee7cd21SMax Laier.It Fl v
1575ee7cd21SMax LaierSet the 'log' flag on pf rules committed by
1585ee7cd21SMax Laier.Nm .
1595ee7cd21SMax LaierUse twice to set the 'log-all' flag.
1605ee7cd21SMax LaierThe pf rules do not log by default.
16113b9f610SMax Laier.El
1625ee7cd21SMax Laier.Sh CONFIGURATION
1635ee7cd21SMax LaierTo make use of the proxy,
16413b9f610SMax Laier.Xr pf.conf 5
1655ee7cd21SMax Laierneeds the following rules.
1665ee7cd21SMax LaierAll anchors are mandatory.
1675ee7cd21SMax LaierAdjust the rules as needed.
1685ee7cd21SMax Laier.Pp
1695ee7cd21SMax LaierIn the NAT section:
17013b9f610SMax Laier.Bd -literal -offset 2n
1715ee7cd21SMax Laiernat-anchor "ftp-proxy/*"
1725ee7cd21SMax Laierrdr-anchor "ftp-proxy/*"
1735ee7cd21SMax Laierrdr pass on $int_if proto tcp from $lan to any port 21 -> \e
1745ee7cd21SMax Laier    127.0.0.1 port 8021
17513b9f610SMax Laier.Ed
17613b9f610SMax Laier.Pp
1775ee7cd21SMax LaierIn the rule section:
17813b9f610SMax Laier.Bd -literal -offset 2n
1795ee7cd21SMax Laieranchor "ftp-proxy/*"
1805ee7cd21SMax Laierpass out proto tcp from $proxy to any port 21
18113b9f610SMax Laier.Ed
18213b9f610SMax Laier.Sh SEE ALSO
18313b9f610SMax Laier.Xr ftp 1 ,
18413b9f610SMax Laier.Xr pf 4 ,
18513b9f610SMax Laier.Xr pf.conf 5
1865ee7cd21SMax Laier.Sh CAVEATS
1875ee7cd21SMax Laier.Xr pf 4
1885ee7cd21SMax Laierdoes not allow the ruleset to be modified if the system is running at a
1895ee7cd21SMax Laier.Xr securelevel 7
1905ee7cd21SMax Laierhigher than 1.
1915ee7cd21SMax LaierAt that level
192*e0bfbfceSBjoern A. Zeeb.Nm
1935ee7cd21SMax Laiercannot add rules to the anchors and FTP data connections may get blocked.
19413b9f610SMax Laier.Pp
1955ee7cd21SMax LaierNegotiated data connection ports below 1024 are not allowed.
1965ee7cd21SMax Laier.Pp
1975ee7cd21SMax LaierThe negotiated IP address for active modes is ignored for security
1985ee7cd21SMax Laierreasons.
1995ee7cd21SMax LaierThis makes third party file transfers impossible.
2005ee7cd21SMax Laier.Pp
201*e0bfbfceSBjoern A. Zeeb.Nm
2025ee7cd21SMax Laierchroots to "/var/empty" and changes to user "proxy" to drop privileges.
203