xref: /openbsd-src/usr.sbin/ftp-proxy/ftp-proxy.8 (revision 41ce3b17e73f6b7d2d9e1a3d961e4bab2d895cb5)
1*41ce3b17Snaddy.\"	$OpenBSD: ftp-proxy.8,v 1.25 2022/03/31 17:27:29 naddy Exp $
23b53f69aScamield.\"
33b53f69aScamield.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
43b53f69aScamield.\"
53b53f69aScamield.\" Permission to use, copy, modify, and distribute this software for any
63b53f69aScamield.\" purpose with or without fee is hereby granted, provided that the above
73b53f69aScamield.\" copyright notice and this permission notice appear in all copies.
83b53f69aScamield.\"
93b53f69aScamield.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
103b53f69aScamield.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
113b53f69aScamield.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
123b53f69aScamield.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
133b53f69aScamield.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
143b53f69aScamield.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
153b53f69aScamield.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
163b53f69aScamield.\"
17*41ce3b17Snaddy.Dd $Mdocdate: March 31 2022 $
183b53f69aScamield.Dt FTP-PROXY 8
193b53f69aScamield.Os
203b53f69aScamield.Sh NAME
213b53f69aScamield.Nm ftp-proxy
223b53f69aScamield.Nd Internet File Transfer Protocol proxy daemon
233b53f69aScamield.Sh SYNOPSIS
24f9b24bdcShenning.Nm
2569d9c04eSjmc.Bk -words
26867a6359Scamield.Op Fl 6Adrv
2765e34726Sschwarze.Op Fl a Ar sourceaddr
283b53f69aScamield.Op Fl b Ar address
293b53f69aScamield.Op Fl D Ar level
303b53f69aScamield.Op Fl m Ar maxsessions
313b53f69aScamield.Op Fl P Ar port
323b53f69aScamield.Op Fl p Ar port
333b53f69aScamield.Op Fl q Ar queue
343b53f69aScamield.Op Fl R Ar address
351a90e72aShenning.Op Fl T Ar tag
3669d9c04eSjmc.Op Fl t Ar timeout
3769d9c04eSjmc.Ek
383b53f69aScamield.Sh DESCRIPTION
393b53f69aScamield.Nm
403b53f69aScamieldis a proxy for the Internet File Transfer Protocol.
413b53f69aScamieldFTP control connections should be redirected into the proxy using the
423b53f69aScamield.Xr pf 4
4348ed0d11Smikeb.Ar divert-to
443b53f69aScamieldcommand, after which the proxy connects to the server on behalf of
453b53f69aScamieldthe client.
463b53f69aScamield.Pp
473b53f69aScamieldThe proxy allows data connections to pass, rewriting and redirecting
483b53f69aScamieldthem so that the right addresses are used.
493b53f69aScamieldAll connections from the client to the server have their source
503b53f69aScamieldaddress rewritten so they appear to come from the proxy.
513b53f69aScamieldConsequently, all connections from the server to the proxy have
523b53f69aScamieldtheir destination address rewritten, so they are redirected to the
533b53f69aScamieldclient.
543b53f69aScamieldThe proxy uses the
553b53f69aScamield.Xr pf 4
563b53f69aScamield.Ar anchor
573b53f69aScamieldfacility for this.
583b53f69aScamield.Pp
593b53f69aScamieldAssuming the FTP control connection is from $client to $server, the
603b53f69aScamieldproxy connected to the server using the $proxy source address, and
613b53f69aScamield$port is negotiated, then
62f9b24bdcShenning.Nm
638a9ad46fSclaudioadds the following rules to the anchor.
648a9ad46fSclaudio$server and $orig_server are the same unless
658a9ad46fSclaudio.Fl R
668a9ad46fSclaudiois used to force a different $server address for all connections.
673b53f69aScamield(These example rules use inet, but the proxy also supports inet6.)
683b53f69aScamield.Pp
693b53f69aScamieldIn case of active mode (PORT or EPRT):
703b53f69aScamield.Bd -literal -offset 2n
718a9ad46fSclaudiopass in from $server to $proxy port $proxy_port \e
728a9ad46fSclaudio    rdr-to $client port $port
738a9ad46fSclaudiopass out from $server to $client port $port \e
748a9ad46fSclaudio    nat-to $orig_server port $natport
753b53f69aScamield.Ed
763b53f69aScamield.Pp
773b53f69aScamieldIn case of passive mode (PASV or EPSV):
783b53f69aScamield.Bd -literal -offset 2n
798a9ad46fSclaudiopass in from $client to $orig_server port $proxy_port \e
808a9ad46fSclaudio    rdr-to $server port $port
818a9ad46fSclaudiopass out from $client to $server port $port nat-to $proxy
823b53f69aScamield.Ed
833b53f69aScamield.Pp
84340a79f1Sstsp.Nm
8532d18cdaSderaadtchroots to "/var/empty" and changes to user "_ftp_proxy" to drop privileges.
86340a79f1Sstsp.Pp
873b53f69aScamieldThe options are as follows:
883b53f69aScamield.Bl -tag -width Ds
893b53f69aScamield.It Fl 6
90671cef63SjmcIPv6 mode.
91671cef63SjmcThe proxy will expect and use IPv6 addresses for all communication.
923b53f69aScamieldOnly the extended FTP modes EPSV and EPRT are allowed with IPv6.
933b53f69aScamieldThe proxy is in IPv4 mode by default.
943b53f69aScamield.It Fl A
953b53f69aScamieldOnly permit anonymous FTP connections.
963b53f69aScamieldEither user "ftp" or user "anonymous" is allowed.
9765e34726Sschwarze.It Fl a Ar sourceaddr
983b53f69aScamieldThe proxy will use this as the source address for the control
9965e34726Sschwarzeconnection to a server, which is useful on machines with multiple
10065e34726Sschwarzeinterfaces.
1013b53f69aScamield.It Fl b Ar address
1023b53f69aScamieldAddress where the proxy will listen for redirected control connections.
1033b53f69aScamieldThe default is 127.0.0.1, or ::1 in IPv6 mode.
1043b53f69aScamield.It Fl D Ar level
1053b53f69aScamieldDebug level, ranging from 0 to 7.
1063b53f69aScamieldHigher is more verbose.
1073b53f69aScamieldThe default is 5.
1083b53f69aScamield(These levels correspond to the
1093b53f69aScamield.Xr syslog 3
1103b53f69aScamieldlevels.)
1113b53f69aScamield.It Fl d
1123b53f69aScamieldDo not daemonize.
1133b53f69aScamieldThe process will stay in the foreground, logging to standard error.
1143b53f69aScamield.It Fl m Ar maxsessions
1153b53f69aScamieldMaximum number of concurrent FTP sessions.
1163b53f69aScamieldWhen the proxy reaches this limit, new connections are denied.
117f9429323ScamieldThe default is 100 sessions.
118f9429323ScamieldThe limit can be lowered to a minimum of 1, or raised to a maximum of 500.
1193b53f69aScamield.It Fl P Ar port
1203b53f69aScamieldFixed server port.
121671cef63SjmcOnly used in combination with
122671cef63Sjmc.Fl R .
1233b53f69aScamieldThe default is port 21.
1243b53f69aScamield.It Fl p Ar port
1253b53f69aScamieldPort where the proxy will listen for redirected connections.
1263b53f69aScamieldThe default is port 8021.
1273b53f69aScamield.It Fl q Ar queue
1283b53f69aScamieldCreate rules with queue
1293b53f69aScamield.Ar queue
1303b53f69aScamieldappended, so that data connections can be queued.
1313b53f69aScamield.It Fl R Ar address
1323b53f69aScamieldFixed server address, also known as reverse mode.
1333b53f69aScamieldThe proxy will always connect to the same server, regardless of
1343b53f69aScamieldwhere the client wanted to connect to (before it was redirected).
1353b53f69aScamieldUse this option to proxy for a server behind NAT, or to forward all
1363b53f69aScamieldconnections to another proxy.
1373b53f69aScamield.It Fl r
138671cef63SjmcRewrite sourceport to 20 in active mode to suit ancient clients that insist
1393b53f69aScamieldon this RFC property.
14069d9c04eSjmc.It Fl T Ar tag
141f9b24bdcShenningThe filter rules will add tag
142f9b24bdcShenning.Ar tag
14314f90764Sclaudioto data connections, and will use match rules instead of pass ones.
144f9b24bdcShenningThis way alternative rules that use the
145f9b24bdcShenning.Ar tagged
146f9b24bdcShenningkeyword can be implemented following the
147f9b24bdcShenning.Nm
148f9b24bdcShenninganchor.
149f9b24bdcShenningThese rules can use special
15069d9c04eSjmc.Xr pf 4
151f9b24bdcShenningfeatures like route-to, reply-to, label, rtable, overload, etc. that
152f9b24bdcShenning.Nm
153f9b24bdcShenningdoes not implement itself.
15414f90764SclaudioThere must be a matching pass rule after the
15514f90764Sclaudio.Nm
15614f90764Sclaudioanchor or the data connections will be blocked.
1573b53f69aScamield.It Fl t Ar timeout
1583b53f69aScamieldNumber of seconds that the control connection can be idle, before the
1593b53f69aScamieldproxy will disconnect.
160f9429323ScamieldThe maximum is 86400 seconds, which is also the default.
1613b53f69aScamieldDo not set this too low, because the control connection is usually
1623b53f69aScamieldidle when large data transfers are taking place.
163867a6359Scamield.It Fl v
164867a6359ScamieldSet the 'log' flag on pf rules committed by
165867a6359Scamield.Nm .
1661b14be64SjmcUse twice to set the 'log all' flag.
167867a6359ScamieldThe pf rules do not log by default.
1683b53f69aScamield.El
1693b53f69aScamield.Sh CONFIGURATION
1703b53f69aScamieldTo make use of the proxy,
1713b53f69aScamield.Xr pf.conf 5
1723b53f69aScamieldneeds the following rules.
17379d3fca7SjmcAdjust the rules as needed; depending on the rest of the ruleset, the
17479d3fca7Sjmclast rule explicitly allowing FTP sessions from the proxy may not be
175f1c883e8Smcbridenecessary.
1763b53f69aScamield.Bd -literal -offset 2n
1773b53f69aScamieldanchor "ftp-proxy/*"
1784c34d392Sjmcpass in quick proto tcp to port ftp divert-to 127.0.0.1 port 8021
179f1c883e8Smcbridepass out inet proto tcp from (self) to any port ftp
1803b53f69aScamield.Ed
181e7d467caSjmc.Sh SEE ALSO
182e7d467caSjmc.Xr ftp 1 ,
183e7d467caSjmc.Xr pf 4 ,
184e7d467caSjmc.Xr pf.conf 5
185e7d467caSjmc.Sh CAVEATS
1862ec09249Scamield.Xr pf 4
1872ec09249Scamielddoes not allow the ruleset to be modified if the system is running at a
1882ec09249Scamield.Xr securelevel 7
1892ec09249Scamieldhigher than 1.
1902ec09249ScamieldAt that level
191f9b24bdcShenning.Nm
1922ec09249Scamieldcannot add rules to the anchors and FTP data connections may get blocked.
1932ec09249Scamield.Pp
1943b53f69aScamieldNegotiated data connection ports below 1024 are not allowed.
1953b53f69aScamield.Pp
1963b53f69aScamieldThe negotiated IP address for active modes is ignored for security
1973b53f69aScamieldreasons.
1983b53f69aScamieldThis makes third party file transfers impossible.
1993b53f69aScamield.Pp
200340a79f1SstspSince
201f9b24bdcShenning.Nm
202*41ce3b17Snaddyacts as a man-in-the-middle, it breaks explicit FTP TLS connections (RFC 4217).
203