new ftp proxy: pftpx
Marcos Biscaysaqu - ThePacific.net
marcos at ThePacific.Net
Wed Dec 15 13:25:46 PST 2004
Hi there.
PF has now a good ftp proxy, somebody has got this working on freebsd?
Marcos Biscaysaqu
Camiel Dobbelaar wrote:
>On Tue, 14 Dec 2004, Tobias Wigand wrote:
>
>
>>hope it doesn´t have any severe exploitable bugs, though. ;-)
>>
>>
>
>Peer review would be good... but it already does some mitigation:
>check the security section below.
>
>I've put up the latest version at
>http://www.sentia.org/downloads/pftpx-0.5.tar.gz
>
>it includes a manpage as well, which is pretty short so I'll paste it
>below.
>
>--
>Cam
>
>
>PFTPX(8) OpenBSD System Manager's Manual PFTPX(8)
>
>NAME
> pftpx - FTP proxy
>
>SYNOPSIS
> pftpx [-6d] [-b address] [-c port] [-D level] [-f address] [-g port] [-m
> maxsessions] [-p address] [-q queue] [-t timeout]
>
>DESCRIPTION
> pftpx is a proxy for the Internet File Transfer Protocol. FTP control
> connections should be redirected into the proxy using the pf(4) rdr com-
> mand, after which the proxy connects to the server on behalf of the
> client.
>
> The proxy allows data connections to pass, rewriting and redirecting them
> so that the right addresses are used. All connections from the client to
> the server have their source address rewritten so they appear to come
> from the proxy. Consequently, all connections from the server to the
> proxy have their destination address rewritten, so they are redirected to
> the client. The proxy uses the pf(4) anchor facility for this.
>
> Assuming the FTP control connection is from $client to $server, the proxy
> connected to the server using the $proxy source address, and $port is ne-
> gotiated, then pftpx adds the following rules to the various anchors.
> (These example rules use inet, but the proxy also supports inet6.)
>
> In case of active mode (PORT or EPRT):
>
> rdr from $server to $proxy port $port -> $client
> pass log quick inet proto tcp \
> from $server to $client port $port flags S/SAFR keep state
>
> In case of passive mode (PASV or EPSV):
>
> nat from $client to $server port $port -> $proxy
> pass log quick inet proto tcp \
> from $client to $server port $port flags S/SAFR keep state
> pass log quick inet proto tcp \
> from $proxy to $server port $port flags S/SAFR keep state
>
> The options are as follows:
>
> -6 IPv6 mode. The proxy will expect and use IPv6 addresses for all
> communication. Only the extended FTP modes EPSV and EPRT are al-
> lowed with IPv6. The proxy is in IPv4 mode by default.
>
> -b address
> Address where the proxy will listen for redirected connections.
> The default is 127.0.0.1, or ::1 in IPv6 mode.
>
> -c port
> Port where the proxy will listen for redirected connections. The
> default is port 8021.
>
> -d Do not daemonize. The process will stay in the foreground, log-
> ging to stderr.
>
> -D level
> Debug level, ranging from 0 to 7. Higher is more verbose. The
> default is 5. (These levels correspond to the syslog(3) levels.)
>
> -f address
> Fixed server address. The proxy will always connect to the same
> server, regardless of where the client wanted to connect to (be-
> fore it was redirected). Use this option to proxy for a server
> behind NAT, or to forward all connections to another proxy.
>
> -g port
> Fixed server port. Only used in combination with the previous
> option. The default is port 21.
>
> -m maxsessions
> Maximum number of concurrent FTP sessions. When the proxy reach-
> es this limit, new connections are denied. The default is 100.
>
> -p address
> Proxy source address. The proxy will use this as the source ad-
> dress to connect to servers.
>
> -q queue
> Create rules with queue queue appended, so that data connections
> can be queued.
>
> -t timeout
> Number of seconds that the control connection can be idle, before
> the proxy will disconnect. The default is 24 hours. Do not set
> this too low, because the control connection is usually idle when
> large data transfers are taking place.
>
>CONFIGURATION
> To make use of the proxy, pf.conf(5) needs the following rules. All an-
> chors are mandatory. The rdr pass rule can be adjusted as needed.
>
> In the NAT section:
>
> nat-anchor "pftpx/*"
> rdr-anchor "pftpx/*"
> rdr pass on $int_if proto tcp from $lan to any port 21 -> 127.0.0.1 port 8021
>
> In the rule section:
>
> anchor "pftpx/*"
>
>SECURITY
> Negotiated data connection ports below 1024 are not allowed.
>
> The negotiated IP address for active modes is ignored for security rea-
> sons. This makes third party file transfers impossible.
>
> pftpx chroots to "/var/empty" and changes to user "proxy" to drop privi-
> leges.
>
>SEE ALSO
> ftp(1), pf(4), pf.conf(5),
>
>
More information about the freebsd-current
mailing list