|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
man ftp-proxy contains some serious errors.
From: Han Boetes <han(at)mijncomputer.nl>
Date: Wed Nov 27 2002 - 11:34:24 EST
and requires that FTP connections are redirected to it using a
.Em rdr
rule.
-A typical way to do this would be to use a rule such as
.Pp
-rdr on xl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
.Pp
.Xr inetd 8
must then be configured to run
.Nm ftp-proxy
on the port from above using
.Pp
-127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy + 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
.Pp
in
.Xr inetd.conf 5 .
@@ -187,20 +189,21 @@
The
.Xr pf.conf 5
rules need to let pass connections to these proxy ports -(see options -u, -m and -M above) in on the external interface. +(see options -u, -m and -M above) out on the external interface. The following example allows only ports 49152 to 65535 to pass in -statefully (assuming xl1 is the external interface): +statefully:
.Bd -literal
-block in on xl1 proto tcp all
-pass in on xl1 proto tcp from any to xl1 port > 49151 keep state
.Ed
.Pp
-Alternatively, rules make use of the fact that by default, +Alternatively, rules can make use of the fact that by default,
.Nm ftp-proxy
runs as user "proxy" to allow the backchannel connections, as in the following example:
.Bd -literal
-block in on xl1 proto tcp all
-pass in on xl1 proto tcp from any to xl1 user proxy keep state + block out on $ext_if proto tcp all
+ pass out on $ext_if proto tcp from $ext_if to any user proxy keep state
.Ed
.Sh SEE ALSO
@@ -209,7 +212,9 @@
.Xr hosts.deny 5 ,
.Xr pf.conf 5 ,
.Xr pfctl 8 ,
.Sh BUGS
Extended Passive mode (EPSV) is not supported by the proxy and will not work unless the proxy is run in network address translation mode. Received on Wed Nov 27 11:35:14 2002
Date: Wed Nov 27 2002 - 11:34:24 EST
Hi,
I just started using ftp-proxy and I used the output from pflog0 to find out what rules I had to apply after discovering the manpage was in err.
So I made a patch with suggestions.
// Han
--- ftp-proxy.8.orig Wed Nov 27 14:48:02 2002 +++ ftp-proxy.8 Wed Nov 27 15:42:11 2002@@ -159,19 +159,21 @@
and requires that FTP connections are redirected to it using a
.Em rdr
rule.
-A typical way to do this would be to use a rule such as
+A typical way to do this would be to use a +.Xr pf.conf 5 +rule such as
.Pp
-rdr on xl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
+.Bd -literal + int_if = xl0 + rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 +.Ed
.Pp
-in -.Xr pf.conf 5 -(this example assumes xl0 is the interface facing an internal network).
.Xr inetd 8
must then be configured to run
.Nm ftp-proxy
on the port from above using
.Pp
-127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy + 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
.Pp
in
.Xr inetd.conf 5 .
@@ -187,20 +189,21 @@
The
.Xr pf.conf 5
rules need to let pass connections to these proxy ports -(see options -u, -m and -M above) in on the external interface. +(see options -u, -m and -M above) out on the external interface. The following example allows only ports 49152 to 65535 to pass in -statefully (assuming xl1 is the external interface): +statefully:
.Bd -literal
-block in on xl1 proto tcp all
-pass in on xl1 proto tcp from any to xl1 port > 49151 keep state
+ block out on $ext_if proto tcp all + pass out on $ext_if proto tcp from $ext_if to any \\ + port > 49151 keep state
.Ed
.Pp
-Alternatively, rules make use of the fact that by default, +Alternatively, rules can make use of the fact that by default,
.Nm ftp-proxy
runs as user "proxy" to allow the backchannel connections, as in the following example:
.Bd -literal
-block in on xl1 proto tcp all
-pass in on xl1 proto tcp from any to xl1 user proxy keep state + block out on $ext_if proto tcp all
+ pass out on $ext_if proto tcp from $ext_if to any user proxy keep state
.Ed
.Sh SEE ALSO
@@ -209,7 +212,9 @@
.Xr hosts.deny 5 ,
.Xr pf.conf 5 ,
.Xr pfctl 8 ,
-.Xr syslogd 8 +.Xr syslogd 8 , +.Xr inetd.conf 5 , +.Xr inetd 8 .
.Sh BUGS
Extended Passive mode (EPSV) is not supported by the proxy and will not work unless the proxy is run in network address translation mode. Received on Wed Nov 27 11:35:14 2002
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:38 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |