ftp-proxy.conf - configuration file for FTP-Proxy
/etc/proxy-suite/ftp-proxy.conf
This manual page documents the configuration file format of the
ftp-proxy(8) program. FTP-Proxy is an application level gateway
between FTP clients and servers. Its main purpose is to secure servers
against attacks based on the FTP protocol.
The FTP-Proxy configuration file consists of option lines and
comments. A line starting with a '#' character is a comment. The general
format of a option line is
[WhiteSpace] Name WhiteSpace Value [WhiteSpace]
It is recommended to use up to 24 characters for the name and no
more than 1024 for the value, although theoretically both can be up to 4096
in size. Lines can be continued if the last character is a backslash. The
whole file is not case sensitive.
Option lines always have a context which may be global or
user specific. A context is introduced by a [name] line, where name
is the FTP-login name or authuser if the UserAuthMagic feature is
used. It is allowed to use '*' wildcard character at the end of the context
name [name*] i.e. [foo*] to match multiple usernames beginning with
"foo". The beginning of the file is implicitly the
[-Global-] context (the dashes allow a user context named [global]
without conflict). It is legal to include an option more than once; the last
one will be the one used. Options in user contexts usually take precedence
over the equivalent global option.
Some of the options can be used in a user or the global context,
while others make sense only in one of them. See below.
Several options (see the individual discussion below for details)
support a limited set of variable substitution when evaluated. The following
replacements will be performed:
%b build date of the ftp-proxy(8) program
%d current system date in the form YYYY/MM/DD
%h host name from gethostname(2)
%n network name from getdomainname(2)
%t current system time in the form HH:MM:SS
%v version of the ftp-proxy(8) program
%% a single percent sign
- ActiveMaxDataPort
- Both user and global context. Defines the maximum local port number used
when connecting to the client's data port. The latter is either the same
as the client's control port or the one given in the most recent
PORT command. If either minimum or maximum value is not given, the
program defaults to using port 20, the ftp-data port as per RFC
959, for the local end of the socket if the proxy is running as root
(user ID 0) or to use a random port. See also ActiveMinDataPort and
User options.
- ActiveMinDataPort
- Both user and global context. Defines the minimum local port number used
when connecting to the client's data port. See also
ActiveMaxDataPort and User options.
- AllowMagicUser
- Global context only. Defines a flag that when set to yes, true, or
on allows the USER name to be optionally interpreted as
user[@host[:port]] where host overrides the
DestinationAddress and port the DestinationPort directive
below. It should only be activated with "trusted" users, like in
an outgoing FTP proxy scenario. See also the UserMagicChar and
ForceMagicUser options.
- AllowTransProxy
- Global context only. Defines a flag that when set to yes, true, or
on allows one to use the proxy as transparent proxy for outgoing
ftp. To get it working you also have to redirect client requests on a
gateway or firewall host (i.e. via ipchains) to the ftp-proxy. It should
only be activated with "trusted" users, like in an outgoing FTP
proxy scenario. You can combine this with the AllowMagicUser
option.
- DenyMessage
- Global context only. Defines the name of a file which prevents any
successful login if it exists, even if it is empty. The file contents will
be sent to the client, each line prefixed with '421-' and with
variable substitution applied. The whole file is followed by a line
starting with '421 ' followed by the DenyString below. After
sending the connection is closed. If no such file exists, the deny
mechanism is not triggered altogether. See also DenyString
option.
- DenyString
- Global context only. Defines a string that will be displayed to clients,
prefixed with '421 ' and variable substitution applied, if and only
if a DenyMessage file exists. The default is 'Service not
available'. See also DenyMessage option.
- DestinationAddress
- Both user and global context. Defines where to redirect incoming FTP
traffic. Can be given as either dotted decimal IP address or as DNS host
name. Please note that the global section must always contain this option
as a basic sanity check.
- DestinationMaxPort
- Both user and global context. Defines the maximum local port number to be
used when opening a connection to the FTP server. Valid both for control
and for data connections. Defaults to not binding prior to connecting and
listening, so that the system selects an arbitrary ephemeral port. See
also DestinationMinPort option.
- DestinationMinPort
- Both user and global context. Defines the minimum local port number to be
used when opening a connection to the FTP server. See also
DestinationMaxPort option.
- DestinationPort
- Both user and global context. Defines the FTP server's control port where
the proxy itself will connect. This option can either be given as a
numeric value or as the service name retrieved by getservbyname(3)
and defaults to port 21, the ftp port as per RFC 959.
- DestinationTransferMode
- Both user and global context. Defines the FTP transfer mode to be used
from the proxy to the server. Legal values are active, passive, or
client. The latter means to follow the mode the client is using.
The default value is client.
- FailResetsPasv
- Global context only. Defines the action that is taken when a data transfer
command is failed on the server side. If the option is set to yes,
true, or on the client data transfer socket will be closed and
the transfer mode set to the default (active-ftp).
If this flag is set to no, false, or off (which is also the
default) the socket can be reused for the next data transfer command in
passive mode. This options is a workaround for Netscape (4.x) clients,
that sends a second data transfer command if the first is failed, while
the user clicks on a symbolic link pointing to a directory.
Note, that this behavior may break the RFC definitions.
- ForceMagicUser
- Global context only. Same as AllowMagicUser, but makes the host and port
portion mandatory.
- ForkLimit
- Global context only. Limits the number of incoming client connections per
minute in daemon mode - it defaults to 40 connections per minute.
- Group
- Global context only. Defines the UNIX style group ID which is set by the
process before it serves clients. Default is to keep the current real
group ID.
- LDAPAuthDN
- Global context only. Defines a different base distinguished name that is
used when accessing an LDAP directory for user authentication purposes. It
defaults to the value of LDAPBaseDN. See also LDAPAuthPWAttr,
LDAPAuthPWType, LDAPAuthOKFlag, UserAuthType, LDAPBindDN
options.
- LDAPAuthOKFlag
- Global context only. Defines an attribute and its value as
attr=value string, i.e. userEnabled=yes, that will be checked while
user authentication in the directory tree specified using
LDAPAuthDN or LDAPBaseDN. Defaults to an empty string - no
flag check used.
- LDAPAuthPWAttr
- Global context only. Defines the LDAP password attribute name used for
user authentication.
A common used attribute name is userPassword. Defaults to an empty
string - password authentication disabled. See also LDAPAuthPWType
option.
- LDAPAuthPWType
- Global context only. Defines the LDAP password type / format and a minimal
allowed password length expected as value for attribute name specified
using LDAPAuthPWAttr.
Valid values are plain, crypt, {crypt} followed by one
number 0-9, i.e. {crypt}7, plain9 or plain.
If no minimum length specified the default minimum length of 5
characters is used.
A password type {crypt} means, the password value in the LDAP
directory is prefixed by the {crypt} scheme specification. Other
password schemes, i.e. MD5, are not supported at the moment.
Crypted passwords are only available, if the proxy is compiled with crypt
support - see also --with-crypt compile time option in configure
script.
If the password (without scheme prefix) stored in LDAP
directory is * or ! the account is disabled and the
authentication fails.
Defaults to plain (equivalent to plain5). See also the
LDAPAuthOKFlag.
- LDAPBaseDN
- Global context only. Defines the base distinguished name that is used when
accessing an LDAP directory, i.e. the root of the tree containing
the FTP-Proxy entries. Defaults to an empty string. If
UserAuthMagic is used, the authuser is used as user name for
authentication and user profiles, otherwise the normal ftp-user name. See
also LDAPIdentifier, LDAPObjectClass, LDAPServer, UserAuthMagic
options.
- LDAPBindDN
- Defines the distinguished name that is used to (simple) bind the directory
service. Defaults to an empty string (anonymous bind). It is allowed to
include one %s in this string, that will be replaced with the FTP username
or authuser if UserAuthMagic is used. See also UserAuthMagic,
LDAPAuthDN, LDAPBindPW options.
- LDAPBindPW
- Defines the credential (password) that is used to (simple) bind the
directory service using distinguished name given in the LDAPBindDN
option. Defaults to an empty string (anonymous bind).
- LDAPIdentifier
- Global context only. Defines the identification attribute for the access
to the LDAP directory. This can be thought of as the primary key
and defaults to the string CN which is short for "Common
Name." See also LDAPBaseDN, LDAPObjectClass, LDAPServer
options.
- LDAPObjectClass
- Global context only. Defines the LDAP object class which holds the
entries for the FTP-Proxy access control. It is assumed that the possible
user specific config options exist as attributes within a record of this
type. There is no default, but a value of FTPProxyUser is
recommended. See also LDAPBaseDN, LDAPIdentifier, LDAPServer
options.
- LDAPServer
- Global context only. This is the main option for using an LDAP
directory for retrieving user specific values. If given, it denotes the
server (and possible port separated by a colon) where FTP-Proxy will ask
for the attributes. The program will bind as the anonymous user and try to
retrieve the values from the tree rooted at LDAPBaseDN, having an
object class of LDAPObjectClass and identified by the
LDAPIdentifier. If the server cannot be reached, the program
aborts. If the user cannot be found, the program falls back to the
configuration file, but will query only the global values and not the user
specific ones. See also LDAPBaseDN, LDAPBindDN, LDAPIdentifier,
LDAPObjectClass options.
- LDAPVersion
- Global context only. Use this option to set the LDAP API version, the
proxy should set: 2 or 3. Use 0 to skip explicit version setting and use
library defaults. Defaults is version 3 if supported by the library or 2
if not.
Note: OpenLDAP 2.x library defaults to version 2 bind, but the OpenLDAP
server refuses LDAPv2 bind by default.
- Listen
- Global context only. Defines the address where the proxy itself opens the
listening port. The default is 0.0.0.0 which instructs the server
to bind to any address. See also Port option.
- LogDestination
- Global context only. Defines the destination of the logging information
the program wishes to emit. If the value starts with a slash (/) it will
be interpreted as an absolute path. This file will be created and kept
open during the lifetime of the process. The signal SIGUSR1 can be
sent to the (daemon) process in order to rotate this log file.
A second way to provide logging is via a pipe and is employed
when the first character of the option is a pipe symbol (|). In this
case the rest of the value is interpreted as the name of a UNIX command
which is invoked and receives logging information on its standard
input.
The third way is to use the syslog(3) service which is
assumed for all other values. The option value is interpreted as the
syslog facility while the severity is defined by the various messages
themselves.
- LogLevel
- Global context only. Defines the maximal level of logged messages. The
levels are, in order of decreasing importance: FLT, ERR, WRN, INF,
DBG
The default level is INF. A LogLevel set to WRN causes,
that only messages with levels FLT, ERR, WRN will be logged.
- MaxClients
- Global context only. Defines the maximum number of clients the proxy will
allow concurrently. The valid range for this option is 1 to 512, with a
default of 64. See also MaxClientsMessage, MaxClientsString
options.
- MaxClientsMessage
- Global context only. Defines the name of a file that is displayed to
clients if their maximum number defined with MaxClients has been
exceeded. If no such file exists only the MaxClientsString is
displayed, else both the file and the string are transmitted. After
transmission the connection is terminated in any case. When sending the
file, each line is prefixed with '421-' and variable substitution
is applied to it. See also MaxClients, MaxClientsString
options.
- MaxClientsString
- Global context only. Defines a string that will be displayed to clients,
prefixed with '421 ' and variable substitution applied, if the
maximum client number has been exceeded. The default is 'Service not
available' . See also MaxClients, MaxClientsMessage
options.
- MaxRecvBufSize
- Global context only. Defines the maximum number of bytes read from socket
at once while data transfers. Default is to read all data as reported by
the kernel.
It may be useful to set a limit (i.e. to 8192), if your proxy machine uses
two interfaces of different speed, i.e. the clients are accessing the
proxy via a high-speed interface (i.e. Fast-Ethernet) and the proxy is
accessing servers using a slower one (i.e. modem, ISDN link) and your
ftp-clients aborts the data transfers because of a timeout.
- PassiveMaxDataPort
- Both user and global context. Defines the maximum local port number used
when listening for the client's data connection. This is the port number
transmitted to the client in a 227 response to the PASV
command. If either minimum or maximum value is not given, the program
defaults to let the system choose an arbitrary ephemeral port. See also
PassiveMinDataPort option.
- PassiveMinDataPort
- Both user and global context. Defines the minimum local port number used
when listening for the client's data connection. See also
PassiveMaxDataPort option.
- PidFile
- Global context only. Defines the name of a process ID file where FTP-Proxy
will store its process ID if running as daemon. The file contents will be
an ASCII string with a trailing newline. On many operating systems such
PID files will be located in the /var/run directory.
- Port
- Global context only. Defines the listening port where the FTP-Proxy offers
its service. The port can be given as a number or as a string suitable for
retrieval by the getservbyname(3) function. It defaults to port 21,
the ftp port as per RFC 959. See also Listen
option.
- PortResetsPasv
- Global context only. Defines the action that is taken when a PORT
command is received while a passive port is open for listening. If the
option is set to yes, true, or on, (which is also the
default) the socket will be closed and the passive mode will be terminated
(set to active-ftp). Setting the option to no, false, or off
does not cancel the listen. This flag seems necessary because the RFC is
not really clear enough about the correct handling.
- SameAddress
- Both user and global context. Defines a boolean value which determines if
the proxy is allowed to be included in so-called third party server to
server transfers. In this situation the client first sends a PASV
command to one server, then a PORT command with the response code
to the second server, and then initiates the transfer with mutual transfer
commands on the two servers. Specifying this option as no, false,
or off allows FTP-Proxy to take part in such a transfer, while
saying yes, true, or on (the default) will enforce that
transfers can only take place to/from the client itself.
- ServerRoot
- Defines the directory into which the FTP-Proxy performs a chroot(2)
in order to increase its security level. See also the User and
Group options.
Note, that you have to copy needed libraries, configuration
files, etc into this directory first!
- ServerType
- Global context only. Defines the mode in which the FTP-Proxy is running if
no command line switch (-d/-i) has been provided. The option value
can either be inetd in which case the proxy expects the client to
be available at standard input and output, or it can be standalone
which means the process will become a daemon, open the listening port and
fork child processes for all future connections. The child processes
themselves will behave exactly as if they were started from inetd.
- SockBindRand
- Global context only. Defines a flag that when set to yes, true, or
on , causes the proxy to use a random port in the specified range
via DestinationMinPort/MaxPort, ActiveMinPort/MaxDataPort,
PassiveMinDataPort/MaxDataPort instead of increment the port number inside
of this range. See also DestinationMinPort, DestinationMaxPort,
PassiveMinDataPort, PassiveMaxDataPort, ActiveMinPort,
ActiveMaxPort options.
- TCPWrapper
- Global context only. Defines a boolean value which is evaluated by the
FTP-Proxy running as a standalone daemon only. Saying yes, true, or
on activate the TCP Wrapper library, whereas no,
false, or off (the default) disable the function. See also
TCPWrapperName option.
- TCPWrapperName
- Global context only. Use given name for TCP-Wrapper checks instead
of the program name (argv[0]). See also TCPWrapper option.
- TimeOut
- Both user and global context. Defines the time in seconds after which a
client is assumed to be disconnected. If no activity is detected from the
client after this time, the connection is closed and the process
terminates. Default value is 900 seconds.
- TranslatedAddress
- Global context only. Defines an IP address the server will use in
227 replies to PASV commands instead of its own address.
Usually the address where the client connected to is taken, but this may
not be appropriate in situations where an NAT (Network Address
Translation) device is located in the way from the client to the proxy. In
this situation the response can be changed to include the input address of
the NAT device.
The value for this option can be given as a DNS host name, as
a dotted decimal IP address, or as a file name. The latter is assumed
when the name starts with a slash. The file is opened and scanned for
the desired address. Blank lines or lines starting with '#' are ignored.
Reading the address from a file may be useful for environments with
masquerading and dynamic PPP connections.
- User
- Global context only. Defines the UNIX style user ID which is given to the
process before it serves clients. Default is to keep the current real user
ID.
If the proxy does not run as a privileged user (root, user ID
0), it has no permission to bind a socket to port < 1024 or to
preform a chroot(2) call. See also ActiveMinDataPort,
ActiveMaxDataPort, ServerRoot options.
- UserMagicChar
or UseMagicChar
- Global context only. Defines the character to use as separator between
user and host[:port] in the target setting of AllowMagicUser
Default is the '@' character. This allows you to use E-Mail addresses as
usernames for login to the ftp server (i.e. me@mydomain%ftp.server:21 if
you set it to %).
- UserAuthMagic
- Global context only. This is an authentication extension like
AllowMagicUser, allowing encoding of additional username and password in
the USER and PASS commands for authentication. Valid values are
@auth for ftpuser@authuser[@host:port] and ftppass@authpass or
auth@ for authuser@[ftpuser@host:port] and authpass@ftppass. See
also LDAPBindDN, LDAPAuthType and AllowMagicUser.
- UserAuthType
- Global context only. Defines the authentication mechanism the proxy should
use. Currently "ldap" is implemented to support simple LDAP
authentication using FTP username and password from USER and PASS commands
or the special authuser and authpass encoded using UserAuthMagic.
See also LDAPBindDN, LDAPAuthDN, LDAPAuthPWAttr, LDAPAuthPWType,
LDAPAuthOKFlag and UserAuthMagic options.
- UserNameRule
- Global context only. Defines a regular expression rule for validation of
the user name (used for profile-setup and authentication purposes).
Defaults to:
^[[:alnum:]]+([%20@/\._-][[:alnum:]]+)*$
It checks, if the first character is alphanumeric, optionally
followed by @/_-. or alphanumeric characters and ending with an
alphanumeric one.
This matches the usual cases inclusive E-Mail addresses and
"domain/user" names.
If regex support is not available, above default rule is still
used and the option ignored. See also ValidCommands option for
regex encoding description.
- ValidCommands
- Both user and global context. Defines the list of allowed FTP commands for
the client. If this option is not installed, there will be no restriction
on the allowed commands. But if it is given, then all commands not on this
list will be denied. The list is space separated and may consist of the
following commands: USER, PASS, ACCT, CWD, CDUP, SMNT, QUIT, REIN,
PORT, PASV, TYPE, STRU, MODE, RETR, STOR, STOU, APPE, ALLO, REST,
RNFR, RNTO, ABOR, DELE, RMD, MKD, PWD, LIST, NLST, SITE, SYST,
STAT, HELP, NOOP, SIZE, MDTM, MLFL, MAIL, MSND, MSOM, MSAM,
MRSQ, MRCP, XCWD, XMKD, XRMD, XPWD, XCUP, AUTH, APSV, EPRT, and
EPSV.
Each command can be followed by an optional equals sign and
POSIX 1003.2 Extended Regular Expression (RE) that describes the
valid argument(s) for the command. If the whole string is to be matched,
the pattern has to start with a caret (^) and end with a dollar ($). If
no pattern follows a command, its arguments are not checked. An example
for a name would be the pattern '^[a-zA-Z0-9]{1,512}$' for an
argument that is mandatory and may consist of up to 512 letters or
digits only. A command that does not allow any arguments can also easily
be represented: 'QUIT=^$' .
Please note that the regular expression is
"pre-processed". This means that a pattern in the form %xx
will be interpreted as a hexadecimal constant and will be replaced by
the value of that constant. This looks a bit like HTML and helps to
include characters that might not be handled as expected, like %20 for
space or %5c (equivalent to %5C) for backslash. The space is especially
important because it is the separator for the commands within the list
itself.
Please note also that regular expression support must have
been enabled with the --with-regex switch during the
configure compilation step of the whole package.
- WelcomeMessage
- Global context only. Defines the name of a file that will be displayed to
all clients as the first action when they open the control connection.
Each line is prefixed with '220-' and variable substitution is
applied to it. If no such file exists it is silently ignored. See also
WelcomeString option.
- WelcomeString
- Global context only. Defines the string that is sent to the client in
order to start login negotiation. The string is prefixed with '220
' and variable substitution is applied to it. If this option is not
given it defaults to the following string:
'%h FTP server (%v - %b) ready'.
See also WelcomeMessage option.
/etc/proxy-suite/ftp-proxy.conf
/usr/sbin/ftp-proxy
ftp-proxy(8)
The SuSE Proxy-Suite documentation included in the
doc subdirectory of the package.
Jens-Gero Boehm <jens-gero.boehm@suse.de>
Pieter Hollants <pieter.hollants@suse.de>
Volker Wiegand <volker.wiegand@suse.de>
Marius Tomaschewski <mt@suse.de>
The SuSE Proxy-Suite is released under the
GNU General Public License (GPL).