can be started
from a TCP superserver like inetd(1) or
tcpproxy(1).
but can also bind to a TCP/IP port on it's own and run in
standalone (or daemon) mode.
Protocol Support
supports the following FTP
commands:
Transfer of structured data is not
supported.
Command Parameters
By default does not accept blanks in
command parameters. This is to protect your UNIX server against
users who work on computers where these things are usual.
To allow blanks the option -b must be given on the command line. Notice that blanks at the beginning or end of the parameter are still not supported.
The `SITE' is in neither case affected by this limitation, accepts always blanks in `SITE' parameters.
The option -y enables to accept data connections from
different remote interfaces. Try to avoid using this option,
because it can cause security problems (see HISTORY for details).
Server Selection
If client-side server selection it turned
on with the -e option the user must select the FTP server he
wants to use with the `@' notation. Instead of specifying the real
ftp server on the command line the user has to connect to the
gateway machine where is running and to enter the
username in the form
remote-user@remote-
The password that is send to the proxy server is the password required for logging into remote-ftp-server with the account remote-user.
In situations where the FTP client doesn't support usernames containing an `@' the percent sign `%' might be used for that.
The access controller receives the following variables:
The values for PROXY_USERNAME and PROXY_PASSWD are taken from the supplied remote username and password if they contain a colon `:'. In this case the local authentication data is taken from the left side of the colon and the remaining right side is passed on to the server.
Furthermore the acp's stdout is connected to the FTP client and it's stderr is read by which writes the acp's stderr output to syslog.
Notice also that a non-zero acp exit code signals that something's wrong and that
should terminate.
Connection Translation
Beginning with version 1.1.6
supports connection
translation programs (ctp's). A ctp can completly overwrite the
user's server selection and login. If configured the ctp is called
before the acp. It receives the same environment variables like the
acp and returns server and login information that should
for the server
connection on it's stdout. The format of the ctp output lines is
variable [<whitespace>]= [<whitespace>] value
where variable is one of
The ctp can deny the proxy request by exiting with an non-zero
exit code, In which case drops the connection
immediately. Alternativly the ctp can also print a line starting
with -ERR, which is written to syslog before the connection
is closed.
Command Control
If a command control program (ccp) is given
with the -c option this program is called for the FTP
commands
The ccp returns an exit
code of 0 to grant and any other to deny access (the exit code to
the `QUIT' command is ignored). For the ccp the same variables as
for acp's are set with the addition of
The ccp's stdout and stderr are connected to . A one line message written to stdout by the ccp goes to syslog, while a message one stderr is sent to the client. If this message does not contain a status substitutes a `553' code. If the message is empty the client gets a simle `553 permission denied'. Notice that the stderr message is only used if the ccp returns an exit code other the zero.
On normal program termination (`QUIT' command or timeout) the ccp is called with the command `+EXIT' to do some final clean up. It is not reliable that the ccp receives the `+EXIT' event. There are lots of possiblities that the proxy terminates without generating it, e.g. client timeout, server error or signal reciption by the proxy.
The `LIST' and `NLIST' command may have a parameter or not. If it is absent ftp.proxy sets the parameter to `*' but this affects only the PROXY_FTPPATH variable, not the command that is sent to the server.
For the `CDUP' command PROXY_FTPPATH contains the full path of the target directory.
Monitoring may not work with all server systems since the output
of the `PWD' command which is used by to get the current directory in
not completely defined. If the directory can not be clearly
determined will
terminate.
CONFIGURATION FILE
can take most of its command
line options also from a configuration file which can be set with
the -f option.
The following options can be set:
Notice that the file can contain comments and blank lines (usual
UN*X-style) but
terminates immediately with an error code if an unknown or invalid
configuration option is found.
Interface specific configurations
's configuration file supports
interface specific configuration sections. Such section begin with
a line that starts with
followed by the configuration options for connections on this specific interface. checks for such sections immidiately after the client connection is accepted. If it finds at least one interface specific section in the configuration file but none for the current interface it considers itself to be not configured for it and drops the connection sending a `421 not available' message to the client.
accepts all
global configuration options from above (allthough not all make
sense, e.g. bind) in interface specific section. That is,
can have completely
different configurations on different interfaces. But to deactivate
a non-boolean option, e.g. ctp you can not simply give the
option without a value, this would be considered as `bad
configuration option'. Instead you must supply a single dash
`-' to clear an option.
Configuration checking
prints an error message and
terminates immediately if it finds an unknown or bad configuration
option. More worse, these error messages are printed to 's stderr and not to syslog
which makes it a little bit difficult to observe. addresses this issue by
supporting the -F option.
The -F option sets the configuration file and the
`check-and-print' option, that is will only read, check and print
it's configuration options as they are set after reading the
configuration. An interface IP-number may be given as optional
command line parameter to make print the configuration for
this particular interface.
OPTIONS
The following options are available: