FTP-PROXY(8) | System Manager's Manual | FTP-PROXY(8) |
ftp-proxy
—
Internet File Transfer Protocol proxy server
ftp-proxy |
-i [-AnrVw ]
[-a address]
[-D debuglevel]
[-g group]
[-M maxport]
[-m minport]
[-R address[:port]]
[-S address]
[-t timeout]
[-u user] |
ftp-proxy |
-p [-AnrVw ]
[-a address]
[-D debuglevel]
[-g group]
[-M maxport]
[-m minport]
[-R address[:port]]
[-S address]
[-t timeout]
[-u user] |
ftp-proxy
is a proxy for the Internet File
Transfer Protocol. The proxy uses pf(4) and
expects to have the FTP control connection as described in
services(5) redirected to it via a
pf(4) rdr command. An
example of how to do that is further down in this document.
The options are as follows:
-A
-a
addressftp-proxy
when connecting to destination
FTP servers. This may be necessary if the interface address of your
default route is not reachable from the destinations
ftp-proxy
is attempting connections to, or this
address is different from the one connections are being NATed to. In the
usual case this means that address should be a
publicly visible IP address assigned to one of the interfaces on the
machine running ftp-proxy
and should be the same
address to which you are translating traffic if you are using the
-n
option.-D
debuglevelLOG_DEBUG
. Meaningful values of debuglevel are
0-3, where 0 is no debug output and 3 is lots of debug output, the default
being 0.-g
groupftp-proxy
uses the default group of the
user it drops privilege to.-i
ftp-proxy
for use with IP-Filter.-M
maxportIPPORT_HILASTAUTO
defined in
⟨netinet/in.h⟩ as 65535.-m
minportIPPORT_HIFIRSTAUTO
defined in
⟨netinet/in.h⟩ as 49152.-n
ftp-proxy
does not require any IP forwarding
or NAT beyond the rdr necessary to capture the FTP
control connection.-p
ftp-proxy
for use with pf.-R
address:[port]-r
-S
address-t
timeout-u
userftp-proxy
drops privilege
to the user
proxy.
Running as root means that the source of data connections the
proxy makes for PORT and EPRT will be the RFC mandated port 20. When
running as a non-root user, the source of the data connections from
ftp-proxy
will be chosen randomly from the range
minport to maxport as
described above.
-V
-w
ftp-proxy
is run from
inetd(8) and requires that FTP
connections are redirected to it using a rdr rule. A
typical way to do this would be to use either an ipnat rule such as
int_if = "xl0"; rdr $int_if 0/0 port 21 -> 127.0.0.1 port 8021 tcp
or a pf.conf(5) rule such as
int_if = "xl0" rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
inetd(8) must then be
configured to run ftp-proxy
on the port from above
using
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -[ip]
in inetd.conf(5).
ftp-proxy
accepts the redirected control
connections and forwards them to the server. The proxy replaces the address
and port number that the client sends through the control connection to the
server with its own address and proxy port, where it listens for the data
connection. When the server opens the data connection back to this port, the
proxy forwards it to the client. If you're using IP-Filter, the
ipf.conf(5) rules need to let pass
connections to these proxy ports (see options -u
,
-m
, and -M
above) in on the
external interface. The following example allows only ports 49152 to 65535
to pass in statefully:
block in on $ext_if proto tcp all pass in on $ext_if inet proto tcp from any to $ext_if \ port > 49151 keep state
If you're using pf, then the
pf.conf(5) rules need to let pass
connections to these proxy ports (see options -u
,
-m
, and -M
above) in on the
external interface. The following example allows only ports 49152 to 65535
to pass in statefully:
block in on $ext_if proto tcp all pass in on $ext_if inet proto tcp from any to $ext_if \ port > 49151 keep state
Alternatively, pf.conf(5)
rules can make use of the fact that by default,
ftp-proxy
runs as user "proxy" to allow
the backchannel connections, as in the following example:
block in on $ext_if proto tcp all pass in on $ext_if inet proto tcp from any to $ext_if \ user proxy keep state
These examples do not cover the connections from the proxy to the foreign FTP server. If one does not pass outgoing connections by default additional rules are needed.
com.apple/100.InternetSharing/ftp-proxy PF anchor is required for this daemon to correctly function.
ftp(1), pf(4), hosts.allow(5), hosts.deny(5), inetd.conf(5), ipf.conf(5), ipnat.conf(5), pf.conf(5), inetd(8), ipf(8), ipnat(8), pfctl(8), syslogd(8)
Extended Passive mode (EPSV) is not supported by the proxy and will not work unless the proxy is run in network address translation mode. When not in network address translation mode, the proxy returns an error to the client, hopefully forcing the client to revert to passive mode (PASV) which is supported. EPSV will work in network address translation mode, assuming a configuration setup which allows the EPSV connections through to their destinations.
IPv6 is not yet supported.
March 16, 2011 | macOS 15.2 |