1*41ce3b17Snaddy.\" $OpenBSD: ftp-proxy.8,v 1.25 2022/03/31 17:27:29 naddy Exp $ 23b53f69aScamield.\" 33b53f69aScamield.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> 43b53f69aScamield.\" 53b53f69aScamield.\" Permission to use, copy, modify, and distribute this software for any 63b53f69aScamield.\" purpose with or without fee is hereby granted, provided that the above 73b53f69aScamield.\" copyright notice and this permission notice appear in all copies. 83b53f69aScamield.\" 93b53f69aScamield.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 103b53f69aScamield.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 113b53f69aScamield.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 123b53f69aScamield.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 133b53f69aScamield.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 143b53f69aScamield.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 153b53f69aScamield.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 163b53f69aScamield.\" 17*41ce3b17Snaddy.Dd $Mdocdate: March 31 2022 $ 183b53f69aScamield.Dt FTP-PROXY 8 193b53f69aScamield.Os 203b53f69aScamield.Sh NAME 213b53f69aScamield.Nm ftp-proxy 223b53f69aScamield.Nd Internet File Transfer Protocol proxy daemon 233b53f69aScamield.Sh SYNOPSIS 24f9b24bdcShenning.Nm 2569d9c04eSjmc.Bk -words 26867a6359Scamield.Op Fl 6Adrv 2765e34726Sschwarze.Op Fl a Ar sourceaddr 283b53f69aScamield.Op Fl b Ar address 293b53f69aScamield.Op Fl D Ar level 303b53f69aScamield.Op Fl m Ar maxsessions 313b53f69aScamield.Op Fl P Ar port 323b53f69aScamield.Op Fl p Ar port 333b53f69aScamield.Op Fl q Ar queue 343b53f69aScamield.Op Fl R Ar address 351a90e72aShenning.Op Fl T Ar tag 3669d9c04eSjmc.Op Fl t Ar timeout 3769d9c04eSjmc.Ek 383b53f69aScamield.Sh DESCRIPTION 393b53f69aScamield.Nm 403b53f69aScamieldis a proxy for the Internet File Transfer Protocol. 413b53f69aScamieldFTP control connections should be redirected into the proxy using the 423b53f69aScamield.Xr pf 4 4348ed0d11Smikeb.Ar divert-to 443b53f69aScamieldcommand, after which the proxy connects to the server on behalf of 453b53f69aScamieldthe client. 463b53f69aScamield.Pp 473b53f69aScamieldThe proxy allows data connections to pass, rewriting and redirecting 483b53f69aScamieldthem so that the right addresses are used. 493b53f69aScamieldAll connections from the client to the server have their source 503b53f69aScamieldaddress rewritten so they appear to come from the proxy. 513b53f69aScamieldConsequently, all connections from the server to the proxy have 523b53f69aScamieldtheir destination address rewritten, so they are redirected to the 533b53f69aScamieldclient. 543b53f69aScamieldThe proxy uses the 553b53f69aScamield.Xr pf 4 563b53f69aScamield.Ar anchor 573b53f69aScamieldfacility for this. 583b53f69aScamield.Pp 593b53f69aScamieldAssuming the FTP control connection is from $client to $server, the 603b53f69aScamieldproxy connected to the server using the $proxy source address, and 613b53f69aScamield$port is negotiated, then 62f9b24bdcShenning.Nm 638a9ad46fSclaudioadds the following rules to the anchor. 648a9ad46fSclaudio$server and $orig_server are the same unless 658a9ad46fSclaudio.Fl R 668a9ad46fSclaudiois used to force a different $server address for all connections. 673b53f69aScamield(These example rules use inet, but the proxy also supports inet6.) 683b53f69aScamield.Pp 693b53f69aScamieldIn case of active mode (PORT or EPRT): 703b53f69aScamield.Bd -literal -offset 2n 718a9ad46fSclaudiopass in from $server to $proxy port $proxy_port \e 728a9ad46fSclaudio rdr-to $client port $port 738a9ad46fSclaudiopass out from $server to $client port $port \e 748a9ad46fSclaudio nat-to $orig_server port $natport 753b53f69aScamield.Ed 763b53f69aScamield.Pp 773b53f69aScamieldIn case of passive mode (PASV or EPSV): 783b53f69aScamield.Bd -literal -offset 2n 798a9ad46fSclaudiopass in from $client to $orig_server port $proxy_port \e 808a9ad46fSclaudio rdr-to $server port $port 818a9ad46fSclaudiopass out from $client to $server port $port nat-to $proxy 823b53f69aScamield.Ed 833b53f69aScamield.Pp 84340a79f1Sstsp.Nm 8532d18cdaSderaadtchroots to "/var/empty" and changes to user "_ftp_proxy" to drop privileges. 86340a79f1Sstsp.Pp 873b53f69aScamieldThe options are as follows: 883b53f69aScamield.Bl -tag -width Ds 893b53f69aScamield.It Fl 6 90671cef63SjmcIPv6 mode. 91671cef63SjmcThe proxy will expect and use IPv6 addresses for all communication. 923b53f69aScamieldOnly the extended FTP modes EPSV and EPRT are allowed with IPv6. 933b53f69aScamieldThe proxy is in IPv4 mode by default. 943b53f69aScamield.It Fl A 953b53f69aScamieldOnly permit anonymous FTP connections. 963b53f69aScamieldEither user "ftp" or user "anonymous" is allowed. 9765e34726Sschwarze.It Fl a Ar sourceaddr 983b53f69aScamieldThe proxy will use this as the source address for the control 9965e34726Sschwarzeconnection to a server, which is useful on machines with multiple 10065e34726Sschwarzeinterfaces. 1013b53f69aScamield.It Fl b Ar address 1023b53f69aScamieldAddress where the proxy will listen for redirected control connections. 1033b53f69aScamieldThe default is 127.0.0.1, or ::1 in IPv6 mode. 1043b53f69aScamield.It Fl D Ar level 1053b53f69aScamieldDebug level, ranging from 0 to 7. 1063b53f69aScamieldHigher is more verbose. 1073b53f69aScamieldThe default is 5. 1083b53f69aScamield(These levels correspond to the 1093b53f69aScamield.Xr syslog 3 1103b53f69aScamieldlevels.) 1113b53f69aScamield.It Fl d 1123b53f69aScamieldDo not daemonize. 1133b53f69aScamieldThe process will stay in the foreground, logging to standard error. 1143b53f69aScamield.It Fl m Ar maxsessions 1153b53f69aScamieldMaximum number of concurrent FTP sessions. 1163b53f69aScamieldWhen the proxy reaches this limit, new connections are denied. 117f9429323ScamieldThe default is 100 sessions. 118f9429323ScamieldThe limit can be lowered to a minimum of 1, or raised to a maximum of 500. 1193b53f69aScamield.It Fl P Ar port 1203b53f69aScamieldFixed server port. 121671cef63SjmcOnly used in combination with 122671cef63Sjmc.Fl R . 1233b53f69aScamieldThe default is port 21. 1243b53f69aScamield.It Fl p Ar port 1253b53f69aScamieldPort where the proxy will listen for redirected connections. 1263b53f69aScamieldThe default is port 8021. 1273b53f69aScamield.It Fl q Ar queue 1283b53f69aScamieldCreate rules with queue 1293b53f69aScamield.Ar queue 1303b53f69aScamieldappended, so that data connections can be queued. 1313b53f69aScamield.It Fl R Ar address 1323b53f69aScamieldFixed server address, also known as reverse mode. 1333b53f69aScamieldThe proxy will always connect to the same server, regardless of 1343b53f69aScamieldwhere the client wanted to connect to (before it was redirected). 1353b53f69aScamieldUse this option to proxy for a server behind NAT, or to forward all 1363b53f69aScamieldconnections to another proxy. 1373b53f69aScamield.It Fl r 138671cef63SjmcRewrite sourceport to 20 in active mode to suit ancient clients that insist 1393b53f69aScamieldon this RFC property. 14069d9c04eSjmc.It Fl T Ar tag 141f9b24bdcShenningThe filter rules will add tag 142f9b24bdcShenning.Ar tag 14314f90764Sclaudioto data connections, and will use match rules instead of pass ones. 144f9b24bdcShenningThis way alternative rules that use the 145f9b24bdcShenning.Ar tagged 146f9b24bdcShenningkeyword can be implemented following the 147f9b24bdcShenning.Nm 148f9b24bdcShenninganchor. 149f9b24bdcShenningThese rules can use special 15069d9c04eSjmc.Xr pf 4 151f9b24bdcShenningfeatures like route-to, reply-to, label, rtable, overload, etc. that 152f9b24bdcShenning.Nm 153f9b24bdcShenningdoes not implement itself. 15414f90764SclaudioThere must be a matching pass rule after the 15514f90764Sclaudio.Nm 15614f90764Sclaudioanchor or the data connections will be blocked. 1573b53f69aScamield.It Fl t Ar timeout 1583b53f69aScamieldNumber of seconds that the control connection can be idle, before the 1593b53f69aScamieldproxy will disconnect. 160f9429323ScamieldThe maximum is 86400 seconds, which is also the default. 1613b53f69aScamieldDo not set this too low, because the control connection is usually 1623b53f69aScamieldidle when large data transfers are taking place. 163867a6359Scamield.It Fl v 164867a6359ScamieldSet the 'log' flag on pf rules committed by 165867a6359Scamield.Nm . 1661b14be64SjmcUse twice to set the 'log all' flag. 167867a6359ScamieldThe pf rules do not log by default. 1683b53f69aScamield.El 1693b53f69aScamield.Sh CONFIGURATION 1703b53f69aScamieldTo make use of the proxy, 1713b53f69aScamield.Xr pf.conf 5 1723b53f69aScamieldneeds the following rules. 17379d3fca7SjmcAdjust the rules as needed; depending on the rest of the ruleset, the 17479d3fca7Sjmclast rule explicitly allowing FTP sessions from the proxy may not be 175f1c883e8Smcbridenecessary. 1763b53f69aScamield.Bd -literal -offset 2n 1773b53f69aScamieldanchor "ftp-proxy/*" 1784c34d392Sjmcpass in quick proto tcp to port ftp divert-to 127.0.0.1 port 8021 179f1c883e8Smcbridepass out inet proto tcp from (self) to any port ftp 1803b53f69aScamield.Ed 181e7d467caSjmc.Sh SEE ALSO 182e7d467caSjmc.Xr ftp 1 , 183e7d467caSjmc.Xr pf 4 , 184e7d467caSjmc.Xr pf.conf 5 185e7d467caSjmc.Sh CAVEATS 1862ec09249Scamield.Xr pf 4 1872ec09249Scamielddoes not allow the ruleset to be modified if the system is running at a 1882ec09249Scamield.Xr securelevel 7 1892ec09249Scamieldhigher than 1. 1902ec09249ScamieldAt that level 191f9b24bdcShenning.Nm 1922ec09249Scamieldcannot add rules to the anchors and FTP data connections may get blocked. 1932ec09249Scamield.Pp 1943b53f69aScamieldNegotiated data connection ports below 1024 are not allowed. 1953b53f69aScamield.Pp 1963b53f69aScamieldThe negotiated IP address for active modes is ignored for security 1973b53f69aScamieldreasons. 1983b53f69aScamieldThis makes third party file transfers impossible. 1993b53f69aScamield.Pp 200340a79f1SstspSince 201f9b24bdcShenning.Nm 202*41ce3b17Snaddyacts as a man-in-the-middle, it breaks explicit FTP TLS connections (RFC 4217). 203