FTP-PROXY(8) BSD System Manager's Manual FTP-PROXY(8)NAMEftp-proxy - install/remove transparent ftp proxy
SYNOPSISftp-proxy [-cvN] [-h host] [-n ticks] [-o priority] [-p priority] [-P
port] [-t tickrate] [proxyport]
ftp-proxy-r
DESCRIPTION
The ftp-proxy utility installs a transparent FTP proxy for FTP sessions
going into and out of a firewall box. There are two independent reasons
for running the transparent FTP proxy. The first is that the firewall
has restrictive rules that do not allow outgoing active FTP or incoming
passive FTP (see ipfw(8).) The transparent FTP proxy watches FTP ses-
sions and installs a circuit cache which allows only the requested DATA
sessions to be opened. The second reason is because the network is hid-
den behind a NAT box (see ipfwnat(8).)
The NAT functionality of ftp-proxy is automatically engaged if the FTP
session is going through a NAT box. If the FTP session is not going
through a NAT box the NAT functionality of ftp-proxy will not engage for
that session.
The firewall functionality is controlled by the use of the -c flag. If
-c is not specified then only the NAT functionality will be available.
Only a single ftp-proxy may be running at any given time on any given ma-
chine. The proxy handles all FTP sessions going through the box.
The available options are:
-c Install circuit caches on the forward filter chain.
-h host
Only respond to sessions going to the specified host.
-N Do not check to see if the sessions are going through NAT boxes.
Not checking for NAT boxes lowers the overhead of ftp-proxy
slightly and is appropriate for busy firewalls that are not also
doing NAT. The -N option should only be used when there are no
NAT boxes on the machine.
-n ticks
The number of ticks a data session may be idle before it is re-
moved. This defaults to the maximum value of 128 ticks. The
value of ticks must be a power of 2 between 1 and 128.
-o priority
Specify the priority of the pre-output filter, if used. By de-
fault the priority is 1536. The pre-output filter is only used
when proxyport is specified as a different value than port. The
priority should be above any NAT box (see ipfwnat(8)) and any
standard pre-output filters on the machine. Ftp-proxy will
refuse to run if it detects a NAT box with a higher priority.
See ipfw(8).
-p priority
Specify the priority of the pre-input filter. By default the
priority is 512. The priority should be below any NAT box (see
ipfwnat(8)) and any standard pre-input filters on the machine.
Ftp-proxy will refuse to run if it detects a NAT box with a lower
priority. See ipfw(8).
-P port
Specify the port to watch, by default this is the FTP control
port (21).
-r De-install the transparent FTP proxy.
-t tickrate
The number of seconds in a tick. This defaults to 1 seconds.
The tickrate multiplied by ticks gives the timeout, in seconds,
for an unused data session.
-v Be verbose about what is happening.
If proxyport is specified then the internal proxy will actually run on
this port. The IPFW filters installed will automatically route non-local
requests for the FTP port to this port. This allows the running of a lo-
cal ftp daemon on the machine running ftp-proxy. This is not encouraged,
the local FTP servers receive not benefit from ftp-proxy.
The two most common invocations are for NAT only and for restrictive fil-
tering (with or without NAT). The typical invocation for NAT only is:
daemon ftp-proxy 4021
The typical restrictive filtering invocation is:
daemon ftp-proxy-c 4021
Note the use of the daemon(8) command. This makes the ftp-proxy run de-
tached from the terminal and in the background. In both cases we use
port 4021 as the internal proxy port so that an FTP server may run on the
local machine.
IMPORTANT NOTE
If the -c option is used, it is very important that a forward filter be
installed with a lower priority that allows desired traffic through. If
not, only FTP traffic will be allowed through on the machine. Use of the
-c option without a forward filter installed probably indicates that use
of this proxy is not fully understood. Please re-read this manual page
and the ipfw(8) and ipfwnat(8) manual pages if you really think you want
to run with -c and no other forward filter.
SEE ALSOipfw(8), ipfwnat(8)
September 10, 1999 2