Internet File Transfer Protocol proxy
ftp-proxy is a proxy for the Internet File
Transfer Protocol. FTP control connections should be redirected into the
proxy using the pf(4) divert-to command, after which
the proxy connects to the server on behalf of the client.
The proxy allows data connections to pass, rewriting and redirecting them so that the right addresses are used. All connections from the client to the server have their source address rewritten so they appear to come from the proxy. Consequently, all connections from the server to the proxy have their destination address rewritten, so they are redirected to the client. The proxy uses the pf(4) anchor facility for this.
Assuming the FTP control connection is from $client to $server,
the proxy connected to the server using the $proxy source address, and $port
is negotiated, then
ftp-proxy adds the following
rules to the anchor. $server and $orig_server are the same unless
-R is used to force a different $server address for
all connections. (These example rules use inet, but the proxy also supports
In case of active mode (PORT or EPRT):
pass in from $server to $proxy port $proxy_port \ rdr-to $client port $port pass out from $server to $client port $port \ nat-to $orig_server port $natport
In case of passive mode (PASV or EPSV):
pass in from $client to $orig_server port $proxy_port \ rdr-to $server port $port pass out from $client to $server port $port nat-to $proxy
ftp-proxy chroots to
"/var/empty" and changes to user "_ftp_proxy" to drop
The options are as follows:
- IPv6 mode. The proxy will expect and use IPv6 addresses for all communication. Only the extended FTP modes EPSV and EPRT are allowed with IPv6. The proxy is in IPv4 mode by default.
- Only permit anonymous FTP connections. Either user "ftp" or user "anonymous" is allowed.
- The proxy will use this as the source address for the control connection to a server.
- Address where the proxy will listen for redirected control connections. The default is 127.0.0.1, or ::1 in IPv6 mode.
- Debug level, ranging from 0 to 7. Higher is more verbose. The default is 5. (These levels correspond to the syslog(3) levels.)
- Do not daemonize. The process will stay in the foreground, logging to standard error.
- Maximum number of concurrent FTP sessions. When the proxy reaches this limit, new connections are denied. The default is 100 sessions. The limit can be lowered to a minimum of 1, or raised to a maximum of 500.
- Fixed server port. Only used in combination with
-R. The default is port 21.
- Port where the proxy will listen for redirected connections. The default is port 8021.
- Create rules with queue queue appended, so that data connections can be queued.
- Fixed server address, also known as reverse mode. The proxy will always connect to the same server, regardless of where the client wanted to connect to (before it was redirected). Use this option to proxy for a server behind NAT, or to forward all connections to another proxy.
- Rewrite sourceport to 20 in active mode to suit ancient clients that insist on this RFC property.
- The filter rules will add tag tag to data
connections, and will use match rules instead of pass ones. This way
alternative rules that use the tagged keyword can be
implemented following the
ftp-proxyanchor. These rules can use special pf(4) features like route-to, reply-to, label, rtable, overload, etc. that
ftp-proxydoes not implement itself. There must be a matching pass rule after the
ftp-proxyanchor or the data connections will be blocked.
- Number of seconds that the control connection can be idle, before the proxy will disconnect. The maximum is 86400 seconds, which is also the default. Do not set this too low, because the control connection is usually idle when large data transfers are taking place.
- Set the 'log' flag on pf rules committed by
ftp-proxy. Use twice to set the 'log all' flag. The pf rules do not log by default.
To make use of the proxy, pf.conf(5) needs the following rules. Adjust the rules as needed; depending on the rest of the ruleset, the last rule explicitly allowing FTP sessions from the proxy may not be necessary.
anchor "ftp-proxy/*" pass in quick proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass out inet proto tcp from (self) to any port ftp
ftp(1), pf(4), pf.conf(5)
pf(4) does not allow the ruleset to be modified if the system is
running at a
securelevel(7) higher than 1. At that level
ftp-proxy cannot add rules to the anchors and FTP
data connections may get blocked.
Negotiated data connection ports below 1024 are not allowed.
The negotiated IP address for active modes is ignored for security reasons. This makes third party file transfers impossible.
ftp-proxy acts as a
man-in-the-middle it breaks explicit FTP TLS connections (RFC 4217).