Hi there. PF has now a good ftp proxy, somebody has got this working on freebsd? Marcos Biscaysaqu Camiel Dobbelaar wrote: >On Tue, 14 Dec 2004, Tobias Wigand wrote: > > >>hope it doesn´t have any severe exploitable bugs, though. ;-) >> >> > >Peer review would be good... but it already does some mitigation: >check the security section below. > >I've put up the latest version at >http://www.sentia.org/downloads/pftpx-0.5.tar.gz > >it includes a manpage as well, which is pretty short so I'll paste it >below. > >-- >Cam > > >PFTPX(8) OpenBSD System Manager's Manual PFTPX(8) > >NAME > pftpx - FTP proxy > >SYNOPSIS > pftpx [-6d] [-b address] [-c port] [-D level] [-f address] [-g port] [-m > maxsessions] [-p address] [-q queue] [-t timeout] > >DESCRIPTION > pftpx is a proxy for the Internet File Transfer Protocol. FTP control > connections should be redirected into the proxy using the pf(4) rdr com- > mand, after which the proxy connects to the server on behalf of the > client. > > The proxy allows data connections to pass, rewriting and redirecting them > so that the right addresses are used. All connections from the client to > the server have their source address rewritten so they appear to come > from the proxy. Consequently, all connections from the server to the > proxy have their destination address rewritten, so they are redirected to > the client. The proxy uses the pf(4) anchor facility for this. > > Assuming the FTP control connection is from $client to $server, the proxy > connected to the server using the $proxy source address, and $port is ne- > gotiated, then pftpx adds the following rules to the various anchors. > (These example rules use inet, but the proxy also supports inet6.) > > In case of active mode (PORT or EPRT): > > rdr from $server to $proxy port $port -> $client > pass log quick inet proto tcp \ > from $server to $client port $port flags S/SAFR keep state > > In case of passive mode (PASV or EPSV): > > nat from $client to $server port $port -> $proxy > pass log quick inet proto tcp \ > from $client to $server port $port flags S/SAFR keep state > pass log quick inet proto tcp \ > from $proxy to $server port $port flags S/SAFR keep state > > The options are as follows: > > -6 IPv6 mode. The proxy will expect and use IPv6 addresses for all > communication. Only the extended FTP modes EPSV and EPRT are al- > lowed with IPv6. The proxy is in IPv4 mode by default. > > -b address > Address where the proxy will listen for redirected connections. > The default is 127.0.0.1, or ::1 in IPv6 mode. > > -c port > Port where the proxy will listen for redirected connections. The > default is port 8021. > > -d Do not daemonize. The process will stay in the foreground, log- > ging to stderr. > > -D level > Debug level, ranging from 0 to 7. Higher is more verbose. The > default is 5. (These levels correspond to the syslog(3) levels.) > > -f address > Fixed server address. The proxy will always connect to the same > server, regardless of where the client wanted to connect to (be- > fore it was redirected). Use this option to proxy for a server > behind NAT, or to forward all connections to another proxy. > > -g port > Fixed server port. Only used in combination with the previous > option. The default is port 21. > > -m maxsessions > Maximum number of concurrent FTP sessions. When the proxy reach- > es this limit, new connections are denied. The default is 100. > > -p address > Proxy source address. The proxy will use this as the source ad- > dress to connect to servers. > > -q queue > Create rules with queue queue appended, so that data connections > can be queued. > > -t timeout > Number of seconds that the control connection can be idle, before > the proxy will disconnect. The default is 24 hours. Do not set > this too low, because the control connection is usually idle when > large data transfers are taking place. > >CONFIGURATION > To make use of the proxy, pf.conf(5) needs the following rules. All an- > chors are mandatory. The rdr pass rule can be adjusted as needed. > > In the NAT section: > > nat-anchor "pftpx/*" > rdr-anchor "pftpx/*" > rdr pass on $int_if proto tcp from $lan to any port 21 -> 127.0.0.1 port 8021 > > In the rule section: > > anchor "pftpx/*" > >SECURITY > Negotiated data connection ports below 1024 are not allowed. > > The negotiated IP address for active modes is ignored for security rea- > sons. This makes third party file transfers impossible. > > pftpx chroots to "/var/empty" and changes to user "proxy" to drop privi- > leges. > >SEE ALSO > ftp(1), pf(4), pf.conf(5), > >Received on Wed Dec 15 2004 - 20:25:46 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:24 UTC