##################################################################### # # $Id: ftp-proxy.conf.sample,v 1.6.2.4 2005/01/11 13:00:01 mt Exp $ # # Sample FTP Proxy Configuration File # # For more information, see ftp-proxy.conf(5) manual page. # # The general format is "Keyword Value". # # Any white space at the beginning or end of a line and after # the Keyword is ignored. Lines can be continued with '\'. # Case is *NOT* sensitive, so "user" is "User" is "USER". # # Several variables can also be assigned to a client's user name. # User specific sections are introduced by a '[username]' line. # The variables are: TimeOut, ValidCommands, SameAddress, # ActiveMinDataPort, ActiveMaxDataPort, # PassiveMinDataPort, PassiveMaxDataPort, # DestinationAddress, DestinationPort, # DestinationMinPort, DestinationMaxPort, # DestinationTransferMode # These variables can also be obtained from an LDAP server, in # which case the values from this file are not evaluated any # more. # ##################################################################### # # The start of the file is implicitly the [-Global-] section. # [-Global-] # # The following entries select a port range for client DTP # ports in active mode, i.e. when the client sends a PORT # command. The default is port 20 as per RFC 959, if the # proxy is running as root (user ID 0) or a random port. # # ActiveMinDataPort 40000 # ActiveMaxDataPort 40999 # # The follwing flag is especially useful for outbound FTP # traffic. It allows to put some "magic" in the USER name. # If set, it enables the USER name to contain the target # server in the form "user[@host[:port]]" and overrides # the DestinationAddress (and DestinationPort) below. # See also ForceMagicUser option. # # AllowMagicUser no # # The follwing setting allows you to configure a so called # transparent proxy for outgoing ftp. To get it working you # also have to redirect client requests on a gateway or # firewall host (i.e. via ipchains) to the ftp-proxy. # You can combine this with the AllowMagicUser flag. # # AllowTransProxy no # # This message prevents any login if a file with the given # name exists. Instead the contents of the file will be sent # to the client and the connection closed. Lines are prefixed # with "421-". If no such file exists, the mechanism is not # triggered and DenyString (s.b.) is ignored altogether. # # DenyMessage /etc/proxy-suite/ftp-deny.txt # # If a DenyMessage file exists, the deny mechanism will be # activated in any case. If a DenyString exists, it will be # sent (with escape sequences) as the last line (with a 421 # reply code), else the standard message # "Service not available" will be displayed. # # DenyString Service out of order # # Where to redirect incoming FTP traffic. This destination # will be used if a client has not set its own target. # WARNING: ftp-proxy will refuse to run if this directive # is not set and transparent proxying not enables (see also # AllowTransProxy). # # DestinationAddress server.domain.tld # # (Local) port range for all connections to the server. The # default is to let the proxy select any ephemeral port. # # DestinationMinPort 42900 # DestinationMaxPort 42999 # # This is the port corresponding to DestinationAddress. It # defaults to 21, the standard FTP port. # # DestinationPort 21 # # Specify the FTP transfer mode to be used from the proxy to # the server. TransferMode can be active, passive, or client. # The default is "client" which means to use the same as the # client. # # DestinationTransferMode client # DestinationTransferMode passive # DestinationTransferMode active # # Defines the action that is taken when a data transfer command # is failed on the server side. If set to "yes", the client # socket will be reset after a command is failed and the transfer # mode reset to the default (active ftp). # This option is a workarround for Netscape (4.x) clients, that # sends a second data transfer command if the first is failed # while "user click" on a symbolic link pointing to a directory. # # FailResetsPasv no # # Same as AllowMagicUser, but makes the host and port portion # mandatory. # # ForceMagicUser no # # Limits the number of incoming client connections per minute # in daemon mode - it defaults to 40 connections per minute. # # ForkLimit 40 # # If given, change GID to give up root privileges. In POSIX # environments this changes all group ID's. # # Group nogroup # Group nobody # # Defines a different base distinguished name that is used # when accessing an LDAP directory for user authentication # purposes. Defaults to LDAPBaseDN. # # LDAPAuthDN dc=domain,dc=tld # # Defines an attribute and its value as 'attr=value' string, # that will be checked while user authentication. # # LDAPAuthOKFlag allowedService=FTPProxy # # Defines the LDAP password attribute name used for user # authentication. Defaults to an empty string - password # authentication disabled. # #LDAPAuthPWAttr userPassword # # Defines password type used in LDAP followed by the minimal # allowed password length (default is 5). Valid values are: # plain, crypt, {crypt} # optionally followed by one number 0-9, i.e. {crypt}7, # plain9 or plain. Defaults to plain (length is 5). # #LDAPAuthPWType plain # # When accessing the LDAP directory, a search base can be # handed to the search functions. We strongly recommend to # do so. This is the "root" of the relevant search tree. # # LDAPBaseDN dc=domain,dc=tld # # Use distinguished name to (simple) bind to the directory # service. If not set, an annonymous bind is used. # If (exactly one) %s is used, the name will be replaced # by the auth name while user authentication or the FTP # user name. # # LDAPBindDN uid=%s,dc=domain,dc=tld # LDAPBindDN uid=ftp-proxy,dc=domain,dc=tld # # Use credential (password) to bind to the directory service # using distinguished name given with LDAPBindDN. # # LDAPBindPW aPassword # # The next thing to decide when using LDAP is the attribute # used as the main identificator. Some administrators will # use the CN (Common Name) attribute, and this is also the # default, but it can be any legal identifier. # # LDAPIdentifier LoginName # # Additionally, an LDAP ObjectClass should be defined for # the FTP User(s). This will be especially useful if the # user entries are located inside a mixed LDAP hierarchy. # If an ObjectClass is given, the search is executed as: # "(&(ObjectClass=)(CN=))", else it will # just be based upon CN (the Common Name) or whatever has # been assigned to LDAPIdentifier above. # # LDAPObjectClass FTPProxyUser # # Access information based upon users can also be obtained # dynamically from an LDAP directory. This works only if the # program was compiled with LDAP support. Both the University # of Michigan and the Netscape LDAP API are supported. # # LDAPServer ldap.domain.tld[:port] # # Set to listen on a specific interface (0.0.0.0 means all # and is also the default). Address can be given as dotted # decimal IP address or DNS host name. # # Listen 0.0.0.0 # # Determine where to send logging information. If the value # starts with a '/' it is assumed to be a file. If it starts # with a '|' it is assumed to be a program which will be # popen()-ed. Anything else is assumed to be a facility for # syslog(). See ftp-proxy.conf(5) and the "SYSLOG" file for # severity handling. # # LogDestination daemon # LogDestination /var/log/ftp-proxy.log # LogDestination |/usr/bin/rotatelogs /var/log/ftp-proxy.log # # Defines the maximal level of logged messages. The levels # are, in order of decreasing importance: # FLT, ERR, WRN, INF, DBG # The default level is INF. A LogLevel set to WRN causes, # that only messages of levels FLT, ERR, WRN will be logged. # # LogLevel INF # # Maximum number of concurrent clients if running as daemon. # # MaxClients 64 # # This message (or rather the contents of a file with this # name) will be issued when MaxClients is exceeded, each # line prefixed with "421-". If no such file exists, only # the MaxClientsString below will be displayed. # # MaxClientsMessage /etc/proxy-suite/ftp-maxclients.txt # # This string (with a default of "Service not available" will # be displayed, if the configured maximum number of concurrent # clients has been reached. It is prefixed with '421 '. # # MaxClientsString The server is full # # Defines the maximum number of bytes read from socket at once # while data transfers. Default is to read all data as reported # by the kernel. # It may be usefull to set a limit (i.e. to 8192), if your proxy # machine uses two interfaces of different speed, i.e. the clients # are accessing the proxy via a high-speed interface (i.e. # FastEthernet) and the proxy is accessing servers using a slower # one (i.e. modem, ISDN link) and your ftp-clients aborts the data # transfers because of a timeout. # # MaxRecvBufSize 0 # # The following entries select a port range for client DTP # ports in passive mode, i.e. when the client sends a PASV. # If no port range is given, no bind is performed, in which # case the proxy lets the machine select an ephemeral port. # # PassiveMinDataPort 41000 # PassiveMaxDataPort 41999 # # Write an ASCII file with the Program ID if given. Only valid # if running as daemon, in which case the daemon itself uses it. # # PidFile /var/run/ftp-proxy.pid # # Port to listen on (for the SERVER-PI). Default is "ftp". # Can be given as TCP service name or as a plain number. # # Port ftp # # The following flag specifies the action when a PORT command # is received while a PASV listening socket is outstanding. # The RFC is not really clear about the "correct" behaviour, # but since most existing implementations seem to reset the # listener, we do the same by default. Nevertheless they all # may be ... inaccurate. # # PortResetsPasv yes # # Shall we allow data connections only from the same host where # the control connection originated from? Default is yes. If # you say no here, the proxy is able to take part in so called # third party server to server transfers. # # SameAddress yes # # If given, chroot() to this directory after initializing. # # Note, that you have to create the /dev/null device and copy # all needed libraries, configuration files, ... into this # directory first! # # ServerRoot /var/lib/ftp-proxy/rundir # # Determine whether to run as daemon or in inetd mode. This can # be overridden by -d/-i command line switch. Default is inetd. # # ServerType inetd # ServerType standalone # # Enable this flag if you want to use a random port in # the specified range with PassiveMinDataPort/MaxDataPort, # DestinationMinPort/MaxPort, ActiveMinPort/MaxDataPort # instead of incrementing the port number. # # SockBindRand no # # Shall we use the TCP Wrapper Library when running as daemon? # "on", "yes", "true" or a non-zero number means yes, anything # else no. Default no. Only applicable when running as daemon. # Note that TCP Wrapper support must be compiled in for this to # work. # # TCPWrapper yes # # Defines the name to use for TCPWrapper checks. Default is # to use the base name of the ftp-proxy binary (ftp-proxy). # # TCPWrapperName ftp-proxy # If a client has no activity for this many seconds, it is # regarded to be dead and the connection will be terminated. # Default is 900 seconds, i.e. 15 minutes. # # TimeOut 900 # # If the proxy server needs to advertise itself (in outgoing # responses to the ftp-server, like answers to PASV commands) # with a different address than it actually has, the following # option can be used. Relevant e.g. when using a NAT device # in the path. # # TranslatedAddress 0.0.0.0 # # If given, change UID to give up root privileges. In POSIX # environments this changes all user ID's. # If set, the proxy will use non-privileged ports (>1024) for # active mode ftp transfers - see also ActiveMin/MaxDataPort. # # User nobody # User ftpproxy # # Defines the mechanism, the proxy should use to authenticate # users - currently "ldap" is implemented. # # UserAuthType ldap # # Defines if additional and the order of user authentication # name and password should be encoded in FTP USER and PASS # commands, as supported by some ftp-client's (i.e. @auth by # NcFTP). Valid settings are: # # @auth for ftpuser@authuser[@host:port] # auth@ for authuser@[ftpuser@host:port] # # UserAuthMagic @auth # # Defines the character to use as separator between user # and host[:port] in the target setting of AllowMagicUser # Default is the '@' character. This allows you to use # E-Mail addresses as usernames for login to the ftp server # (i.e. me@mydomain%ftp.server:21 if you set it to %). # # UseMagicChar % # UserMagicChar % # # Allows to define a regular expression rule for validation # of the user name. The default setting matches the usual # cases inclusive E-Mail adresses and "domain/user" names: # # UserNameRule ^[[:alnum:]]+([%20@/\._-][[:alnum:]]+)*$ # # List of FTP commands that will be allowed from a client. # All commands not on this list will be rejected. If no list # exists, then all commands will be allowed. # Each command can be followed by an optional equals sign # and regular expression (POSIX 1003.2) to restrict legal # argument(s) syntax. In order to avoid confusing the # configuration reading functions, the expression is "pre- # processed." This means that a sequence like "%20" will be # replaced by a space and "%5c" or "%5C" by a backslash # before being compiled. In fact, this looks a bit like the # HTML way of doing things. The percent sign itself is # represented by "%25" of course. The pattern is interpreted # as a POSIX 1003.2 RE (with REG_NEWLINE flag set), and is # case sensitive. In any case, this works only if compiled # with regular expression support compiled into the program. # # ValidCommands ABOR, PASS, PASV, STOR, USER, \ # MODE, QUIT, SYST # # This file will be presented to all clients immediately after # the connection has been established. Each line is prefixed # with "220-". The whole message is followed by a standard # "220 FTP server () ready" or whatever has # been substituted with WelcomeString below. Escape sequences # (like %h for hostname; see ftp-proxy.conf(5)) are active. # # WelcomeMessage /etc/proxy-suite/ftp-welcome.txt # # If we wanted to disguise as some known other FTP server we # could use the following option. It replaces the standard # " FTP server () ready" in the initial 220 # message. As with all Messages and Strings, various escape # sequences are available. # # WelcomeString Welcome to %h ############################################################ # $Log: ftp-proxy.conf.sample,v $ # Revision 1.6.2.4 2005/01/11 13:00:01 mt # fixed default UserNameRule regexp rejecting user # names where the 3. character is not alphanumeric # # Revision 1.6.2.3 2004/03/30 12:04:16 mt # - changed awk,grep,logger paths to /bin and ServerRoot # to /var/lib/ftp-proxy/rundir (/var/ftp-proxy/rundir) # in rc-script and config samples # # Revision 1.6.2.2 2004/03/22 12:38:12 mt # added UserNameRule option allowing a regex # override of the builtin user name checks # # Revision 1.6.2.1 2003/05/07 11:07:49 mt # added ForceMagicUser variable # # Revision 1.6 2002/05/02 13:44:52 mt # added documented user auth related variables # # Revision 1.5 2002/01/14 19:15:01 mt # actualized, added LogLevel TCPWrapperName MaxRecvBufSize options # # Revision 1.4 2001/11/06 23:04:44 mt # applied / merged with transparent proxy patches v8 # see ftp-proxy/NEWS for more detailed release news # # Revision 1.3 1999/09/24 06:39:43 wiegand # added regular expressions for all commands # removed character map and length of paths # added flag to reset PASV on every PORT # added "magic" user with built-in destination # added some argument pointer fortification # # Revision 1.2 1999/09/17 11:04:02 wiegand # added path name restriction options # # Revision 1.1 1999/09/16 07:53:54 wiegand # initial checkin # ############################################################