ftp-proxy man page on BSDi

Man page or keyword search:  
man Server   6284 pages
apropos Keyword Search (all sections)
Output format
BSDi logo
[printable version]

FTP-PROXY(8)		  BSD System Manager's Manual		  FTP-PROXY(8)

NAME
     ftp-proxy - install/remove transparent ftp proxy

SYNOPSIS
     ftp-proxy [-cvN] [-h host] [-n ticks] [-o priority] [-p priority] [-P
	       port] [-t tickrate] [proxyport]
     ftp-proxy -r

DESCRIPTION
     The ftp-proxy utility installs a transparent FTP proxy for FTP sessions
     going into and out of a firewall box.  There are two independent reasons
     for running the transparent FTP proxy.  The first is that the firewall
     has restrictive rules that do not allow outgoing active FTP or incoming
     passive FTP (see ipfw(8).)	 The transparent FTP proxy watches FTP ses-
     sions and installs a circuit cache which allows only the requested DATA
     sessions to be opened.  The second reason is because the network is hid-
     den behind a NAT box (see ipfwnat(8).)

     The NAT functionality of ftp-proxy is automatically engaged if the FTP
     session is going through a NAT box.  If the FTP session is not going
     through a NAT box the NAT functionality of ftp-proxy will not engage for
     that session.

     The firewall functionality is controlled by the use of the -c flag.  If
     -c is not specified then only the NAT functionality will be available.

     Only a single ftp-proxy may be running at any given time on any given ma-
     chine.  The proxy handles all FTP sessions going through the box.

     The available options are:

     -c	     Install circuit caches on the forward filter chain.

     -h host
	     Only respond to sessions going to the specified host.

     -N	     Do not check to see if the sessions are going through NAT boxes.
	     Not checking for NAT boxes lowers the overhead of ftp-proxy
	     slightly and is appropriate for busy firewalls that are not also
	     doing NAT.	 The -N option should only be used when there are no
	     NAT boxes on the machine.

     -n ticks
	     The number of ticks a data session may be idle before it is re-
	     moved.  This defaults to the maximum value of 128 ticks.  The
	     value of ticks must be a power of 2 between 1 and 128.

     -o priority
	     Specify the priority of the pre-output filter, if used.  By de-
	     fault the priority is 1536.  The pre-output filter is only used
	     when proxyport is specified as a different value than port. The
	     priority should be above any NAT box (see ipfwnat(8))  and any
	     standard pre-output filters on the machine.  Ftp-proxy will
	     refuse to run if it detects a NAT box with a higher priority.
	     See ipfw(8).

     -p priority
	     Specify the priority of the pre-input filter.  By default the
	     priority is 512.  The priority should be below any NAT box (see
	     ipfwnat(8))  and any standard pre-input filters on the machine.
	     Ftp-proxy will refuse to run if it detects a NAT box with a lower

	     priority.	See ipfw(8).

     -P port
	     Specify the port to watch, by default this is the FTP control
	     port (21).

     -r	     De-install the transparent FTP proxy.

     -t tickrate
	     The number of seconds in a tick.  This defaults to 1 seconds.
	     The tickrate multiplied by ticks gives the timeout, in seconds,
	     for an unused data session.

     -v	     Be verbose about what is happening.

     If proxyport is specified then the internal proxy will actually run on
     this port.	 The IPFW filters installed will automatically route non-local
     requests for the FTP port to this port.  This allows the running of a lo-
     cal ftp daemon on the machine running ftp-proxy. This is not encouraged,
     the local FTP servers receive not benefit from ftp-proxy.

     The two most common invocations are for NAT only and for restrictive fil-
     tering (with or without NAT).  The typical invocation for NAT only is:

	   daemon ftp-proxy 4021

     The typical restrictive filtering invocation is:

	   daemon ftp-proxy -c 4021

     Note the use of the daemon(8) command.  This makes the ftp-proxy run de-
     tached from the terminal and in the background.  In both cases we use
     port 4021 as the internal proxy port so that an FTP server may run on the
     local machine.

IMPORTANT NOTE
     If the -c option is used, it is very important that a forward filter be
     installed with a lower priority that allows desired traffic through.  If
     not, only FTP traffic will be allowed through on the machine.  Use of the
     -c option without a forward filter installed probably indicates that use
     of this proxy is not fully understood.  Please re-read this manual page
     and the ipfw(8) and ipfwnat(8) manual pages if you really think you want
     to run with -c and no other forward filter.

SEE ALSO
     ipfw(8),  ipfwnat(8)

			      September 10, 1999			     2
[top]

List of man pages available for BSDi

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net