FTP-PROXY(8) | System Manager's Manual | FTP-PROXY(8) |
ftp-proxy
—
Internet File Transfer Protocol proxy daemon
ftp-proxy |
[-6Adrv ]
[-a sourceaddr]
[-b address]
[-D level]
[-m maxsessions]
[-P port]
[-p port]
[-q queue]
[-R address]
[-T tag]
[-t timeout] |
ftp-proxy
is a proxy for the Internet File
Transfer Protocol. FTP control connections should be redirected into the
proxy using the pf(4)
divert-to command, after which the proxy connects to
the server on behalf of the client.
The proxy allows data connections to pass, rewriting and redirecting them so that the right addresses are used. All connections from the client to the server have their source address rewritten so they appear to come from the proxy. Consequently, all connections from the server to the proxy have their destination address rewritten, so they are redirected to the client. The proxy uses the pf(4) anchor facility for this.
Assuming the FTP control connection is from $client to $server,
the proxy connected to the server using the $proxy source address, and $port
is negotiated, then ftp-proxy
adds the following
rules to the anchor. $server and $orig_server are the same unless
-R
is used to force a different $server address for
all connections. (These example rules use inet, but the proxy also supports
inet6.)
In case of active mode (PORT or EPRT):
pass in from $server to $proxy port $proxy_port \ rdr-to $client port $port pass out from $server to $client port $port \ nat-to $orig_server port $natport
In case of passive mode (PASV or EPSV):
pass in from $client to $orig_server port $proxy_port \ rdr-to $server port $port pass out from $client to $server port $port nat-to $proxy
ftp-proxy
chroots to
"/var/empty" and changes to user "_ftp_proxy" to drop
privileges.
The options are as follows:
-6
-A
-a
sourceaddr-b
address-D
level-d
-m
maxsessions-P
port-R
. The default is port 21.-p
port-q
queue-R
address-r
-T
tagftp-proxy
anchor. These
rules can use special pf(4)
features like route-to, reply-to, label, rtable, overload, etc. that
ftp-proxy
does not implement itself. There must be
a matching pass rule after the ftp-proxy
anchor or
the data connections will be blocked.-t
timeout-v
ftp-proxy
. Use twice to set the 'log all' flag.
The pf rules do not log by default.To make use of the proxy, pf.conf(5) needs the following rules. Adjust the rules as needed; depending on the rest of the ruleset, the last rule explicitly allowing FTP sessions from the proxy may not be necessary.
anchor "ftp-proxy/*" pass in quick proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass out inet proto tcp from (self) to any port ftp
pf(4) does not allow
the ruleset to be modified if the system is running at a
securelevel(7) higher
than 1. At that level ftp-proxy
cannot add rules to
the anchors and FTP data connections may get blocked.
Negotiated data connection ports below 1024 are not allowed.
The negotiated IP address for active modes is ignored for security reasons. This makes third party file transfers impossible.
Since ftp-proxy
acts as a
man-in-the-middle it breaks explicit FTP TLS connections (RFC 4217).
February 12, 2020 | OpenBSD-6.9 |