|FTP-PROXY(8)||System Manager's Manual||FTP-PROXY(8)|
Internet File Transfer Protocol proxy daemon
ftp-proxy is a proxy for the Internet File
Transfer Protocol. FTP control connections should be redirected into the
proxy using the pf(4)
divert-to command, after which the proxy connects to
the server on behalf of the client.
The proxy allows data connections to pass, rewriting and redirecting them so that the right addresses are used. All connections from the client to the server have their source address rewritten so they appear to come from the proxy. Consequently, all connections from the server to the proxy have their destination address rewritten, so they are redirected to the client. The proxy uses the pf(4) anchor facility for this.
Assuming the FTP control connection is from $client to $server,
the proxy connected to the server using the $proxy source address, and $port
is negotiated, then
ftp-proxy adds the following
rules to the anchor. $server and $orig_server are the same unless
-R is used to force a different $server address for
all connections. (These example rules use inet, but the proxy also supports
In case of active mode (PORT or EPRT):
pass in from $server to $proxy port $proxy_port \ rdr-to $client port $port pass out from $server to $client port $port \ nat-to $orig_server port $natport
In case of passive mode (PASV or EPSV):
pass in from $client to $orig_server port $proxy_port \ rdr-to $server port $port pass out from $client to $server port $port nat-to $proxy
ftp-proxy chroots to
"/var/empty" and changes to user "_ftp_proxy" to drop
The options are as follows:
-R. The default is port 21.
ftp-proxyanchor. These rules can use special pf(4) features like route-to, reply-to, label, rtable, overload, etc. that
ftp-proxydoes not implement itself. There must be a matching pass rule after the
ftp-proxyanchor or the data connections will be blocked.
ftp-proxy. Use twice to set the 'log all' flag. The pf rules do not log by default.
To make use of the proxy, pf.conf(5) needs the following rules. Adjust the rules as needed; depending on the rest of the ruleset, the last rule explicitly allowing FTP sessions from the proxy may not be necessary.
anchor "ftp-proxy/*" pass in quick proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass out inet proto tcp from (self) to any port ftp
pf(4) does not allow the ruleset to
be modified if the system is running at a
securelevel(7) higher than 1. At
ftp-proxy cannot add rules to the anchors
and FTP data connections may get blocked.
Negotiated data connection ports below 1024 are not allowed.
The negotiated IP address for active modes is ignored for security reasons. This makes third party file transfers impossible.
ftp-proxy acts as a
man-in-the-middle it breaks explicit FTP TLS connections (RFC 4217).
|February 12, 2020||OpenBSD-current|