| FTP-PROXY(8) | System Manager's Manual | FTP-PROXY(8) | 
ftp-proxy —
| ftp-proxy | [ -6Adrv]
      [-aaddress]
      [-baddress]
      [-Dlevel]
      [-inetif]
      [-mmaxsessions]
      [-Pport]
      [-pport]
      [-qqueue]
      [-Raddress]
      [-Ttag]
      [-ttimeout] | 
ftp-proxy is a proxy for the Internet File Transfer
  Protocol. FTP control connections should be redirected into the proxy using
  the ipnat(4) or
  pf(4) rdr
  command, after which the proxy connects to the server on behalf of the client.
The proxy allows data connections to pass, rewriting and
    redirecting them so that the right addresses are used. All connections from
    the client to the server have their source address rewritten so they appear
    to come from the proxy. Consequently, all connections from the server to the
    proxy have their destination address rewritten, so they are redirected to
    the client. The proxy uses the
    pf(4) anchor
    facility for this, unless the option -i is
    specified, it will then use the
    ipnat(4) interface.
Assuming the FTP control connection is from $client to $server,
    the proxy connected to the server using the $proxy source address, and $port
    is negotiated, then ftp-proxy adds the following
    rules to the various anchors. (These example rules use inet, but the proxy
    also supports inet6.)
In case of active mode (PORT or EPRT):
rdr from $server to $proxy port $port -> $client
pass quick inet proto tcp \
    from $server to $client port $port
In case of passive mode (PASV or EPSV):
nat from $client to $server port $port -> $proxy
pass in quick inet proto tcp \
    from $client to $server port $port
pass out quick inet proto tcp \
    from $proxy to $server port $port
The options are as follows:
-6-A-a
    address-b
    address-D
    level-d-i
    netifftp-proxy for use with IP-Filter. The argument
      netif should be set to the name of the network
      interface where rdr is applied on.-m
    maxsessions-P
    port-R. The default is port 21.-p
    port-q
    queue-R
    address-r-T
    tag-t
    timeout-vftp-proxy. Use twice to set the 'log-all' flag.
      The pf rules do not log by default.In the NAT section:
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $lan to any port 21 -> \
    127.0.0.1 port 8021
In the rule section:
anchor "ftp-proxy/*" pass out proto tcp from $proxy to any port 21
To make use of the proxy using ipnat(4), ipnat.conf(5) need the following rule:
rdr $int_if any port 21 -> 127.0.0.1 port 8021 tcp
ftp-proxy cannot add rules to the anchors and
  FTP data connections may get blocked.
Negotiated data connection ports below 1024 are not allowed.
The negotiated IP address for active modes is ignored for security reasons. This makes third party file transfers impossible.
ftp-proxy chroots to
    "/var/chroot/ftp-proxy" and changes to user "_proxy" to
    drop privileges.
| September 21, 2019 | NetBSD 10.0 |