##################################################################### # # $Id: ftp-proxy.conf.sample,v 1.3 1999/09/24 06:39:43 wiegand Exp $ # # Sample FTP Proxy Configuration File # # The general format is "Keyword Value". # # Any white space at the beginning or end of a line and after # the Keyword is ignored. Lines can be continued with '\'. # Case is *NOT* sensitive, so "user" is "User" is "USER". # # Several variables can also be assigned to a client's user name. # User specific sections are introduced by a '[username]' line. # The variables are: TimeOut, ValidCommands, SameAddress, # ActiveMinDataPort, ActiveMaxDataPort, # PassiveMinDataPort, PassiveMaxDataPort, # DestinationAddress, DestinationPort, # DestinationMinPort, DestinationMaxPort, # DestinationTransferMode, MaxPathLength, # LegalPathChars, ValidPathPattern. # These variables can also be obtained from an LDAP server, in # which case the values from this file are not evaluated any # more. # ##################################################################### # # The start of the file is implicitly the [-Global-] section. # [-Global-] # The following entries select a port range for client DTP # ports in active mode, i.e. when the client sends a PORT # command. The default is port 20 as per RFC 959. # # ActiveMinDataPort 40000 # ActiveMaxDataPort 40999 # Defines the character to use as separator between user # and host[:port] in the target setting of AllowMagicUser # Default is the '@' character. This allows you to use # E-Mail addresses as usernames for login to the ftp server # (i.e. me@mydomain%ftp.server:21 if you set it to %). # UseMagicChar % # The follwing flag is especially useful for outbound FTP # traffic. It allows to put some "magic" in the USER name. # If set, it enables the USER name to contain the target # server in the form "user[@host[:port]]" and overrides # the DestinationAddress (and DestinationPort) below. # AllowMagicUser no # The follwing setting allows you to configure a so called # transparent proxy for outgoing ftp. To get it working you # also have to redirect client requests on a gateway or # firewall host (i.e. via ipchains) to the ftp-proxy. # You can combine this with the AllowMagicUser flag. # # AllowTransProxy no # This message prevents any login if a file with the given # name exists. Instead the contents of the file will be sent # to the client and the connection closed. Lines are prefixed # with "421-". If no such file exists, the mechanism is not # triggered and DenyString (s.b.) is ignored altogether. # DenyMessage /etc/proxy-suite/ftp-deny.txt # If a DenyMessage file exists, the deny mechanism will be # activated in any case. If a DenyString exists, it will be # sent (with escape sequences) as the last line (with a 421 # reply code), else the standard message # "Service not available" will be displayed. # DenyString Service out of order # Where to redirect incoming FTP traffic. This destination # will be used if a client has not set its own target. # WARNING: ftp-proxy will refuse to run if this directive # is not set. # # DestinationAddress server.domain.tld # (Local) port range for all connections to the server. The # default is to let the proxy select any ephemeral port. # # DestinationMinPort 42900 # DestinationMaxPort 42999 # This is the port corresponding to DestinationAddress. It # defaults to 21, the standard FTP port. # # DestinationPort 21 # Specify the FTP transfer mode to be used from the proxy to # the server. TransferMode can be active, passive, or client. # The default is "client" which means to use the same as the # client. # # DestinationTransferMode client # DestinationTransferMode passive # DestinationTransferMode active # If given, change GID to give up root privileges. In POSIX # environments this changes all group ID's. # # Group nogroup # Group nobody # Access information based upon users can also be obtained # dynamically from an LDAP directory. This works only if the # program was compiled with LDAP support. Both the University # of Michigan and the Netscape LDAP API are supported. # # LDAPServer ldap.domain.tld[:port] # When accessing the LDAP directory, a search base can be # handed to the search functions. We strongly recommend to # do so. This is the "root" of the relevant search tree. # # LDAPBaseDN dc=domain, dc=tld # The next thing to decide when using LDAP is the attribute # used as the main identificator. Some administrators will # use the CN (Common Name) attribute, and this is also the # default, but it can be any legal identifier. # # LDAPIdentifier LoginName # Additionally, an LDAP ObjectClass should be defined for # the FTP User(s). This will be especially useful if the # user entries are located inside a mixed LDAP hierarchy. # If an ObjectClass is given, the search is executed as: # "(&(ObjectClass=)(CN=))", else it will # just be based upon CN (the Common Name) or whatever has # been assigned to LDAPIdentifier above. # # LDAPObjectClass FTPProxyUser # Set to listen on a specific interface (0.0.0.0 means all # and is also the default). Address can be given as dotted # decimal IP address or DNS host name. # # Listen 0.0.0.0 Listen 192.168.23.2 # Determine where to send logging information. If the value # starts with a '/' it is assumed to be a file. If it starts # with a '|' it is assumed to be a program which will be # popen()-ed. Anything else is assumed to be a facility for # syslog(). See ftp-proxy.conf(5) and the "SYSLOG" file for # severity handling. # # LogDestination daemon LogDestination /var/log/ftp-proxy.log # LogDestination |/usr/bin/rotatelogs /var/log/ftp-proxy.log # Maximum number of concurrent clients if running as daemon. MaxClients 64 # This message (or rather the contents of a file with this # name) will be issued when MaxClients is exceeded, each # line prefixed with "421-". If no such file exists, only # the MaxClientsString below will be displayed. # MaxClientsMessage /etc/proxy-suite/ftp-maxclients.txt # This string (with a default of "Service not available" will # be displayed, if the configured maximum number of concurrent # clients has been reached. It is prefixed with '421 '. MaxClientsString The server is full # The following entries select a port range for client DTP # ports in passive mode, i.e. when the client sends a PASV. # If no port range is given, no bind is performed, in which # case the proxy lets the machine select an ephemeral port. # # PassiveMinDataPort 41000 # PassiveMaxDataPort 41999 # Write an ASCII file with the Program ID if given. Only valid # if running as daemon, in which case the daemon itself uses it. # # PidFile /var/run/ftp-proxy.pid # Port to listen on (for the SERVER-PI). Default is "ftp". # Can be given as TCP service name or as a plain number. # # Port ftp Port 21 # The following flag specifies the action when a PORT command # is received while a PASV listening socket is outstanding. # The RFC is not really clear about the "correct" behaviour, # but since most existing implementations seem to reset the # listener, we do the same by default. Nevertheless they all # may be ... inaccurate. # PortResetsPasv yes # Shall we allow data connections only from the same host where # the control connection originated from? Default is yes. If # you say no here, the proxy is able to take part in so called # third party server to server transfers. # # SameAddress yes SameAddress no # If given, chroot() to this directory after initializing. Only # valid for inetd mode or forked clients. The daemon will stay. # ServerRoot /var/ftp-proxy/rundir # Determine whether to run as daemon or in inetd mode. This can # be overridden by -d/-i command line switch. Default is inetd. # # ServerType inetd ServerType standalone # Shall we use the TCP Wrapper Library when running as daemon? # "on", "yes", "true" or a non-zero number means yes, anything # else no. Default no. Only applicable when running as daemon. # Note that TCP Wrapper support must be compiled in for this to # work. # # TCPWrapper yes # If a client has no activity for this many seconds, it is # regarded to be dead and the connection will be terminated. # Default is 900 seconds, i.e. 15 minutes. # TimeOut 900 # If the proxy server needs to advertise itself (in outgoing # responses like answers to PASV commands) with a different # address than it actually has, the following option can be # used. Relevant e.g. when using a NAT device in the path. # # TranslatedAddress 0.0.0.0 # If given, change UID to give up root privileges. In POSIX # environments this changes all user ID's. # # User nobody # User ftpproxy # List of FTP commands that will be allowed from a client. # All commands not on this list will be rejected. If no list # exists, then all commands will be allowed. # Each command can be followed by an optional equals sign # and regular expression (POSIX 1003.2) to restrict legal # argument(s) syntax. In order to avoid confusing the # configuration reading functions, the expression is "pre- # processed." This means that a sequence like "%20" will be # replaced by a space and "%5c" or "%5C" by a backslash # before being compiled. In fact, this looks a bit like the # HTML way of doing things. The percent sign itself is # represented by "%25" of course. The pattern is interpreted # as a POSIX 1003.2 RE (with REG_NEWLINE flag set), and is # case sensitive. In any case, this works only if compiled # with regular expression support compiled into the program. # # ValidCommands ABOR, PASS, PASV, STOR, USER, \ # # MODE, QUIT, SYST # This file will be presented to all clients immediately after # the connection has been established. Each line is prefixed # with "220-". The whole message is followed by a standard # "220 FTP server () ready" or whatever has # been substituted with WelcomeString below. Escape sequences # (like %h for hostname; see ftp-proxy.conf(5)) are active. # WelcomeMessage /etc/proxy-suite/ftp-welcome.txt # If we wanted to disguise as some known other FTP server we # could use the following option. It replaces the standard # " FTP server () ready" in the initial 220 # message. As with all Messages and Strings, various escape # sequences are available. # WelcomeString Welcome to %h ############################################################ # $Log: ftp-proxy.conf.sample,v $ # Revision 1.3 1999/09/24 06:39:43 wiegand # added regular expressions for all commands # removed character map and length of paths # added flag to reset PASV on every PORT # added "magic" user with built-in destination # added some argument pointer fortification # # Revision 1.2 1999/09/17 11:04:02 wiegand # added path name restriction options # # Revision 1.1 1999/09/16 07:53:54 wiegand # initial checkin # ############################################################