|
NAMEftp.proxy - FTP proxy serverSYNOPSISftp.proxy [options] [server]DESCRIPTIONftp.proxy is a proxy server for a subset of the file tranfer protocol described in RFC 959. It forwards traffic between a client and a server without looking too much if both hosts do real FTP. The FTP server can be either given on the command line or supplied by the client.ftp.proxy can be started from a TCP superserver like inetd(1) or tcpproxy(1). but can also bind to a TCP/IP port on it's own and run in standalone (or daemon) mode. Protocol Supportftp.proxy supports the following FTP commands:ABOR, ACCT, APPE, CDUP, CWD, DELE, FEAT, LIST,
MDTM, MKD, MODE, NLIST, NOOP, PASS, PASV, PORT, PWD, QUIT, RETR, REST, RNFR, RNTO, RMD, SITE, SIZE, SMNT, STAT, STOR, SYST, TYPE, USER, XCUP, XCWD, XMKD, XPWD, XRMD Transfer of structured data is not supported. Command ParametersBy default ftp.proxy does not accept blanks in command parameters. This is to protect your UNIX server against users who work on computers where these things are usual.To allow blanks the option -b must be given on the command line. Notice that blanks at the beginning or end of the parameter are still not supported. The `SITE' is in neither case affected by this limitation, ftp.proxy accepts always blanks in `SITE' parameters. The option -y enables ftp.proxy to accept data connections from different remote interfaces. Try to avoid using this option, because it can cause security problems (see HISTORY for details). Server SelectionIf client-side server selection it turned on with the -e option the user must select the FTP server he wants to use with the `@' notation. Instead of specifying the real ftp server on the command line the user has to connect to the gateway machine where ftp.proxy is running and to enter the username in the formremote-user@remote-ftp.server The password that is send to the proxy server is the password required for logging into remote-ftp-server with the account remote-user. In situations where the FTP client doesn't support usernames containing an `@' the percent sign `%' might be used for that. Access ControlIf an access control program is given with the -a option on the command line the connection data is passed to the acp before the server is contacted. The acp should return 0 as exit code to grant access and another value to deny.The access controller receives the following variables:
The values for PROXY_USERNAME and PROXY_PASSWD are taken from the supplied remote username and password if they contain a colon `:'. In this case the local authentication data is taken from the left side of the colon and the remaining right side is passed on to the server. Furthermore the acp's stdout is connected to the FTP client and it's stderr is read by ftp.proxy which writes the acp's stderr output to syslog. Notice also that a non-zero acp exit code signals ftp.proxy that something's wrong and that ftp.proxy should terminate. Connection TranslationBeginning with version 1.1.6 ftp.proxy supports connection translation programs (ctp's). A ctp can completly overwrite the user's server selection and login. If configured the ctp is called before the acp. It receives the same environment variables like the acp and returns server and login information that should ftp.proxy for the server connection on it's stdout. The format of the ctp output lines isvariable [<whitespace>]= [<whitespace>] value where variable is one of SERVERNAME, SERVERLOGIN, SERVERPASSWD, SERVERPORT and value the corresponding value. Alternativly to these four variables you can use the shorter forms SERVER, LOGIN, PASSWD, PORT as variable names. Furthermore the case of the variable names doesn't matter and any whitespace around value is ignored. The ctp can deny the proxy request by exiting with an non-zero exit code, In which case ftp.proxy drops the connection immediately. Alternativly the ctp can also print a line starting with -ERR, which is written to syslog before the connection is closed. Command ControlIf a command control program (ccp) is given with the -c option this program is called for the FTP commandsAPPE, CDUP, CWD, DELE, LIST, MDTM, MKD,
NLST, RETR, RNFR, RNTO, RMD, SIZE, STAT, STOR, STOU, XCUP, XCWD, XMKD, XRMD The ccp returns an exit code of 0 to grant and any other to deny access (the exit code to the `QUIT' command is ignored). For the ccp the same variables as for acp's are set with the addition of
The ccp's stdout and stderr are connected to ftp.proxy. A one line message written to stdout by the ccp goes to syslog, while a message one stderr is sent to the client. If this message does not contain a status ftp.proxy substitutes a `553' code. If the message is empty the client gets a simle `553 permission denied'. Notice that the stderr message is only used if the ccp returns an exit code other the zero. On normal program termination (`QUIT' command or timeout) the ccp is called with the command `+EXIT' to do some final clean up. It is not reliable that the ccp receives the `+EXIT' event. There are lots of possiblities that the proxy terminates without generating it, e.g. client timeout, server error or signal reciption by the proxy. Monitor ModeThe -m option puts ftp.proxy into the monitor mode. ftp.proxy will then try to keep track of the client's current directory on the server side. With this information the file parameter for the commandsAPPE, CDUP, CWD, DELE, LIST, MDTM, MKD
NLST, RETR, RNFR, RNTO, RMD, SIZE, STOR, XCUP, XCWD, XMKD, XRMD is converted into an absolute path. This value is then used in syslog messages and given to a ccp in the PROXY_FTPPATH variable. Furthermore the variable PROXY_FTPHOME contains the user's initial directory which is assumed to be his home directory. The `LIST' and `NLIST' command may have a parameter or not. If it is absent ftp.proxy sets the parameter to `*' but this affects only the PROXY_FTPPATH variable, not the command that is sent to the server. For the `CDUP' command PROXY_FTPPATH contains the full path of the target directory. Monitoring may not work with all server systems since the output of the `PWD' command which is used by ftp.proxy to get the current directory in not completely defined. If the directory can not be clearly determined ftp.proxy will terminate. CONFIGURATION FILEftp.proxy can take most of its command line options also from a configuration file which can be set with the -f option.The following options can be set:
Notice that the file can contain comments and blank lines (usual UN*X-style) but ftp.proxy terminates immediately with an error code if an unknown or invalid configuration option is found. Interface specific configurationsftp.proxy's configuration file supports interface specific configuration sections. Such section begin with a line that starts with
followed by the configuration options for connections on this specific interface. ftp.proxy checks for such sections immidiately after the client connection is accepted. If it finds at least one interface specific section in the configuration file but none for the current interface it considers itself to be not configured for it and drops the connection sending a `421 not available' message to the client. ftp.proxy accepts all global configuration options from above (allthough not all make sense, e.g. bind) in interface specific section. That is, ftp.proxy can have completely different configurations on different interfaces. But to deactivate a non-boolean option, e.g. ctp you can not simply give the option without a value, this would be considered as `bad configuration option'. Instead you must supply a single dash `-' to clear an option. Configuration checkingftp.proxy prints an error message and terminates immediately if it finds an unknown or bad configuration option. More worse, these error messages are printed to ftp.proxy's stderr and not to syslog which makes it a little bit difficult to observe. ftp.proxy addresses this issue by supporting the -F option.The -F option sets the configuration file and the `check-and-print' option, that is ftp.proxy will only read, check and print it's configuration options as they are set after reading the configuration. An interface IP-number may be given as optional command line parameter to make ftp.proxy print the configuration for this particular interface. OPTIONSThe following options are available:
SYSLOGftp.proxy reports to FTP log facility on linux and BSD systems and Daemon log facility on other.AUTHORAndreas Schoenberg <asg@ftpproxy.org>SEE ALSOinetd(1), tcpproxy(1), syslogd(8), syslog.conf(5).
Visit the GSP FreeBSD Man Page Interface. |