I found out the hard way that of course using ftp-proxy makes implicit TLS impossible for FTP clients. I'd like to note this under CAVEATS.
While here, chrooting and dropping privs is a feature, not a bug, so move that paragraph up. OK? Index: ftp-proxy.8 =================================================================== RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v retrieving revision 1.19 diff -u -p -r1.19 ftp-proxy.8 --- ftp-proxy.8 25 Jun 2012 11:49:19 -0000 1.19 +++ ftp-proxy.8 9 Jan 2015 10:11:12 -0000 @@ -81,6 +81,9 @@ pass in from $client to $orig_server por pass out from $client to $server port $port nat-to $proxy .Ed .Pp +.Nm +chroots to "/var/empty" and changes to user "proxy" to drop privileges. +.Pp The options are as follows: .Bl -tag -width Ds .It Fl 6 @@ -193,5 +196,6 @@ The negotiated IP address for active mod reasons. This makes third party file transfers impossible. .Pp +Since .Nm -chroots to "/var/empty" and changes to user "proxy" to drop privileges. +acts as a man-in-the-middle it breaks implicit FTP TLS connections (RFC 4217).
