On Tue, 14 Dec 2004, Tobias Wigand wrote: > hope it doesn�t have any severe exploitable bugs, though. ;-)
Peer review would be good... but it already does some mitigation: check the security section below. I've put up the latest version at http://www.sentia.org/downloads/pftpx-0.5.tar.gz it includes a manpage as well, which is pretty short so I'll paste it below. -- Cam PFTPX(8) OpenBSD System Manager's Manual PFTPX(8) NAME pftpx - FTP proxy SYNOPSIS pftpx [-6d] [-b address] [-c port] [-D level] [-f address] [-g port] [-m maxsessions] [-p address] [-q queue] [-t timeout] DESCRIPTION pftpx is a proxy for the Internet File Transfer Protocol. FTP control connections should be redirected into the proxy using the pf(4) rdr com- mand, after which the proxy connects to the server on behalf of the client. The proxy allows data connections to pass, rewriting and redirecting them so that the right addresses are used. All connections from the client to the server have their source address rewritten so they appear to come from the proxy. Consequently, all connections from the server to the proxy have their destination address rewritten, so they are redirected to the client. The proxy uses the pf(4) anchor facility for this. Assuming the FTP control connection is from $client to $server, the proxy connected to the server using the $proxy source address, and $port is ne- gotiated, then pftpx adds the following rules to the various anchors. (These example rules use inet, but the proxy also supports inet6.) In case of active mode (PORT or EPRT): rdr from $server to $proxy port $port -> $client pass log quick inet proto tcp \ from $server to $client port $port flags S/SAFR keep state In case of passive mode (PASV or EPSV): nat from $client to $server port $port -> $proxy pass log quick inet proto tcp \ from $client to $server port $port flags S/SAFR keep state pass log quick inet proto tcp \ from $proxy to $server port $port flags S/SAFR keep state The options are as follows: -6 IPv6 mode. The proxy will expect and use IPv6 addresses for all communication. Only the extended FTP modes EPSV and EPRT are al- lowed with IPv6. The proxy is in IPv4 mode by default. -b address Address where the proxy will listen for redirected connections. The default is 127.0.0.1, or ::1 in IPv6 mode. -c port Port where the proxy will listen for redirected connections. The default is port 8021. -d Do not daemonize. The process will stay in the foreground, log- ging to stderr. -D level Debug level, ranging from 0 to 7. Higher is more verbose. The default is 5. (These levels correspond to the syslog(3) levels.) -f address Fixed server address. The proxy will always connect to the same server, regardless of where the client wanted to connect to (be- fore it was redirected). Use this option to proxy for a server behind NAT, or to forward all connections to another proxy. -g port Fixed server port. Only used in combination with the previous option. The default is port 21. -m maxsessions Maximum number of concurrent FTP sessions. When the proxy reach- es this limit, new connections are denied. The default is 100. -p address Proxy source address. The proxy will use this as the source ad- dress to connect to servers. -q queue Create rules with queue queue appended, so that data connections can be queued. -t timeout Number of seconds that the control connection can be idle, before the proxy will disconnect. The default is 24 hours. Do not set this too low, because the control connection is usually idle when large data transfers are taking place. CONFIGURATION To make use of the proxy, pf.conf(5) needs the following rules. All an- chors are mandatory. The rdr pass rule can be adjusted as needed. In the NAT section: nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr pass on $int_if proto tcp from $lan to any port 21 -> 127.0.0.1 port 8021 In the rule section: anchor "pftpx/*" SECURITY Negotiated data connection ports below 1024 are not allowed. The negotiated IP address for active modes is ignored for security rea- sons. This makes third party file transfers impossible. pftpx chroots to "/var/empty" and changes to user "proxy" to drop privi- leges. SEE ALSO ftp(1), pf(4), pf.conf(5),
