ftp-proxy 1.9.2.4-8 / etc / proxy-suite / ftp-proxy.conf

#####################################################################
#
# $Id: ftp-proxy.conf.sample,v 1.6.2.4 2005/01/11 13:00:01 mt Exp $
#
# Sample FTP Proxy Configuration File
#
# For more information, see ftp-proxy.conf(5) manual page.
#
# The general format is "Keyword Value".
#
# Any white space at the beginning or end of a line and after
# the Keyword is ignored. Lines can be continued with '\'.
# Case is *NOT* sensitive, so "user" is "User" is "USER".
#
# Several variables can also be assigned to a client's user name.
# User specific sections are introduced by a '[username]' line.
# The variables are: TimeOut, ValidCommands, SameAddress,
#                    ActiveMinDataPort, ActiveMaxDataPort,
#                    PassiveMinDataPort, PassiveMaxDataPort,
#                    DestinationAddress, DestinationPort,
#                    DestinationMinPort, DestinationMaxPort,
#                    DestinationTransferMode
# These variables can also be obtained from an LDAP server, in
# which case the values from this file are not evaluated any
# more.
#
#####################################################################
#
# The start of the file is implicitly the [-Global-] section.
#

[-Global-]

#
# The following entries select a port range for client DTP
# ports in active mode, i.e. when the client sends a PORT
# command. The default is port 20 as per RFC 959, if the
# proxy is running as root (user ID 0) or a random  port.
#
# ActiveMinDataPort	40000
# ActiveMaxDataPort	40999

#
# The follwing flag is especially useful for outbound FTP
# traffic. It allows to put some "magic" in the USER name.
# If set, it enables the USER name to contain the target
# server in the form "user[@host[:port]]" and overrides
# the DestinationAddress (and DestinationPort) below.
# See also ForceMagicUser option.
#
# AllowMagicUser	no

#
# The follwing setting allows you to configure a so called
# transparent proxy for outgoing ftp. To get it working you
# also have to redirect client requests on a gateway or
# firewall host (i.e. via ipchains) to the ftp-proxy.
# You can combine this with the AllowMagicUser flag.
#
# AllowTransProxy	no

#
# This message prevents any login if a file with the given
# name exists. Instead the contents of the file will be sent
# to the client and the connection closed. Lines are prefixed
# with "421-". If no such file exists, the mechanism is not
# triggered and DenyString (s.b.) is ignored altogether.
#
# DenyMessage		/etc/proxy-suite/ftp-deny.txt

#
# If a DenyMessage file exists, the deny mechanism will be
# activated in any case. If a DenyString exists, it will be
# sent (with escape sequences) as the last line (with a 421
# reply code), else the standard message
# "Service not available" will be displayed.
#
# DenyString		 Service out of order

#
# Where to redirect incoming FTP traffic. This destination
# will be used if a client has not set its own target.
# WARNING: ftp-proxy will refuse to run if this directive
# is not set and transparent proxying not enables (see also
# AllowTransProxy).
#
# DestinationAddress	server.domain.tld
DestinationAddress	localhost

#
# (Local) port range for all connections to the server. The
# default is to let the proxy select any ephemeral port.
#
# DestinationMinPort	42900
# DestinationMaxPort	42999

#
# This is the port corresponding to DestinationAddress. It
# defaults to 21, the standard FTP port.
#
# DestinationPort	21

#
# Specify the FTP transfer mode to be used from the proxy to
# the server. TransferMode can be active, passive, or client.
# The default is "client" which means to use the same as the
# client.
#
# DestinationTransferMode	client
# DestinationTransferMode	passive
# DestinationTransferMode	active

#
# Defines the action that is taken when a data transfer command
# is failed on the server side. If set to "yes", the client
# socket will be reset after a command is failed and the transfer
# mode reset to the default (active ftp).
# This option is a workarround for Netscape (4.x) clients, that
# sends a second data transfer command if the first is failed
# while "user click" on a symbolic link pointing to a directory.
#
# FailResetsPasv	no

#
# Same as AllowMagicUser, but makes the host and port portion
# mandatory.
#
# ForceMagicUser	no

#
# Limits the number of incoming client connections per minute
# in daemon mode - it defaults to 40 connections per minute.
#
# ForkLimit		40

#
# If given, change GID to give up root privileges. In POSIX
# environments this changes all group ID's.
#
Group			nogroup
# Group			nobody

#
# Defines a different base distinguished name that is used
# when accessing an LDAP directory for user authentication
# purposes. Defaults to LDAPBaseDN.
#
# LDAPAuthDN		dc=domain,dc=tld

#
# Defines an attribute and its value as 'attr=value' string,
# that will be checked while user authentication.
#
# LDAPAuthOKFlag	allowedService=FTPProxy

#
# Defines  the LDAP password attribute name used for user
# authentication. Defaults to an empty string - password
# authentication disabled.
#
#LDAPAuthPWAttr		userPassword

#
# Defines password type used in LDAP followed by the minimal
# allowed password length (default is 5). Valid values are:
#   plain, crypt, {crypt}
# optionally followed by one number 0-9, i.e. {crypt}7,
# plain9 or plain. Defaults to plain (length is 5).
#
#LDAPAuthPWType		plain

#
# When accessing the LDAP directory, a search base can be
# handed to the search functions. We strongly recommend to
# do so. This is the "root" of the relevant search tree.
#
# LDAPBaseDN		dc=domain,dc=tld

#
# Use distinguished name to (simple) bind to the directory
# service. If not set, an annonymous bind is used.
# If (exactly one) %s is used, the name will be replaced
# by the auth name while user authentication or the FTP
# user name.
#
# LDAPBindDN		uid=%s,dc=domain,dc=tld
# LDAPBindDN		uid=ftp-proxy,dc=domain,dc=tld

#
# Use credential (password) to bind to the directory service
# using distinguished name given with LDAPBindDN.
#
# LDAPBindPW		aPassword

#
# The next thing to decide when using LDAP is the attribute
# used as the main identificator. Some administrators will
# use the CN (Common Name) attribute, and this is also the
# default, but it can be any legal identifier.
#
# LDAPIdentifier	LoginName

#
# Additionally, an LDAP ObjectClass should be defined for
# the FTP User(s). This will be especially useful if the
# user entries are located inside a mixed LDAP hierarchy.
# If an ObjectClass is given, the search is executed as:
# "(&(ObjectClass=<class>)(CN=<username>))", else it will
# just be based upon CN (the Common Name) or whatever has
# been assigned to LDAPIdentifier above.
#
# LDAPObjectClass	FTPProxyUser

#
# Access information based upon users can also be obtained
# dynamically from an LDAP directory. This works only if the
# program was compiled with LDAP support. Both the University
# of Michigan and the Netscape LDAP API are supported.
#
# LDAPServer		ldap.domain.tld[:port]

#
# Set to listen on a specific interface (0.0.0.0 means all
# and is also the default). Address can be given as dotted
# decimal IP address or DNS host name.
#
# Listen		0.0.0.0

#
# Determine where to send logging information. If the value
# starts with a '/' it is assumed to be a file. If it starts
# with a '|' it is assumed to be a program which will be
# popen()-ed. Anything else is assumed to be a facility for
# syslog(). See ftp-proxy.conf(5) and the "SYSLOG" file for
# severity handling.
#
# LogDestination	daemon
# LogDestination	/var/log/ftp-proxy.log
# LogDestination	|/usr/bin/rotatelogs /var/log/ftp-proxy.log

#
# Defines the maximal level of logged messages. The levels
# are, in order of decreasing importance:
#      FLT, ERR, WRN, INF, DBG
# The default level is INF. A LogLevel set to WRN causes,
# that only messages of levels FLT, ERR, WRN will be logged.
#
# LogLevel		INF

#
# Maximum number of concurrent clients if running as daemon.
#
# MaxClients		64

#
# This message (or rather the contents of a file with this
# name) will be issued when MaxClients is exceeded, each
# line prefixed with "421-". If no such file exists, only
# the MaxClientsString below will be displayed.
#
# MaxClientsMessage	/etc/proxy-suite/ftp-maxclients.txt

#
# This string (with a default of "Service not available" will
# be displayed, if the configured maximum number of concurrent
# clients has been reached. It is prefixed with '421 '.
#
# MaxClientsString	The server is full

#
# Defines the maximum number of bytes read from socket at once
# while data transfers. Default is to read all data as reported
# by the kernel.
# It may be usefull to set a limit (i.e. to 8192), if your proxy
# machine uses two interfaces of different speed, i.e. the clients
# are accessing the proxy via a high-speed interface (i.e.
# FastEthernet) and the proxy is accessing servers using a slower
# one (i.e. modem, ISDN link) and your ftp-clients aborts the data
# transfers because of a timeout.
#
# MaxRecvBufSize	0

#
# The following entries select a port range for client DTP
# ports in passive mode, i.e. when the client sends a PASV.
# If no port range is given, no bind is performed, in which
# case the proxy lets the machine select an ephemeral port.
#
# PassiveMinDataPort	41000
# PassiveMaxDataPort	41999

#
# Write an ASCII file with the Program ID if given. Only valid
# if running as daemon, in which case the daemon itself uses it.
#
# PidFile		/var/run/ftp-proxy.pid

#
# Port to listen on (for the SERVER-PI). Default is "ftp".
# Can be given as TCP service name or as a plain number.
#
# Port			ftp
Port 2121

#
# The following flag specifies the action when a PORT command
# is received while a PASV listening socket is outstanding.
# The RFC is not really clear about the "correct" behaviour,
# but since most existing implementations seem to reset the
# listener, we do the same by default. Nevertheless they all
# may be ... inaccurate.
#
# PortResetsPasv yes

#
# Shall we allow data connections only from the same host where
# the control connection originated from? Default is yes. If
# you say no here, the proxy is able to take part in so called
# third party server to server transfers.
#
# SameAddress		yes

#
# If given, chroot() to this directory after initializing.
#
# Note, that you have to create the /dev/null device and copy
# all needed libraries, configuration files, ... into this
# directory first!
#
# ServerRoot		/var/lib/ftp-proxy/rundir

#
# Determine whether to run as daemon or in inetd mode. This can
# be overridden by -d/-i command line switch. Default is inetd.
#
# ServerType		inetd
# ServerType		standalone

#
# Enable this flag if you want to use a random port in
# the specified range with PassiveMinDataPort/MaxDataPort,
# DestinationMinPort/MaxPort, ActiveMinPort/MaxDataPort
# instead of incrementing the port number.
#
# SockBindRand		no

#
# Shall we use the TCP Wrapper Library when running as daemon?
# "on", "yes", "true" or a non-zero number means yes, anything
# else no. Default no. Only applicable when running as daemon.
# Note that TCP Wrapper support must be compiled in for this to
# work.
#
# TCPWrapper		yes

#
# Defines the name to use for TCPWrapper checks. Default is
# to use the base name of the ftp-proxy binary (ftp-proxy).
#
# TCPWrapperName	ftp-proxy

# If a client has no activity for this many seconds, it is
# regarded to be dead and the connection will be terminated.
# Default is 900 seconds, i.e. 15 minutes.
#
# TimeOut		900

#
# If the proxy server needs to advertise itself (in outgoing
# responses to the ftp-server, like answers to PASV commands)
# with a different address than it actually has, the following
# option can be used. Relevant e.g. when using a NAT device
# in the path.
#
# TranslatedAddress	0.0.0.0

#
# If given, change UID to give up root privileges. In POSIX
# environments this changes all user ID's.
# If set, the proxy will use non-privileged ports (>1024) for
# active mode ftp transfers - see also ActiveMin/MaxDataPort.
#
User			nobody
# User			ftpproxy

#
# Defines the mechanism, the proxy should use to authenticate
# users - currently "ldap" is implemented.
#
# UserAuthType		ldap

#
# Defines if additional and the order of user authentication
# name and password should be encoded in FTP USER and PASS
# commands, as supported by some ftp-client's (i.e. @auth by
# NcFTP). Valid settings are:
#
#   @auth  for  ftpuser@authuser[@host:port]
#   auth@  for  authuser@[ftpuser@host:port]
#
# UserAuthMagic		@auth

#
# Defines the character to use as separator between user
# and host[:port] in the target setting of AllowMagicUser
# Default is the '@' character. This allows you to use
# E-Mail addresses as usernames for login to the ftp server
# (i.e. me@mydomain%ftp.server:21 if you set it to %).
#
# UseMagicChar		%
# UserMagicChar		%

#
# Allows to define a regular expression rule for validation
# of the user name. The default setting matches the usual
# cases inclusive E-Mail adresses and "domain/user" names:
#
# UserNameRule		^[[:alnum:]]+([%20@/\._-][[:alnum:]]+)*$


#
# List of FTP commands that will be allowed from a client.
# All commands not on this list will be rejected. If no list
# exists, then all commands will be allowed.
# Each command can be followed by an optional equals sign
# and regular expression (POSIX 1003.2) to restrict legal
# argument(s) syntax. In order to avoid confusing the
# configuration reading functions, the expression is "pre-
# processed." This means that a sequence like "%20" will be
# replaced by a space and "%5c" or "%5C" by a backslash
# before being compiled. In fact, this looks a bit like the
# HTML way of doing things. The percent sign itself is
# represented by "%25" of course. The pattern is interpreted
# as a POSIX 1003.2 RE (with REG_NEWLINE flag set), and is
# case sensitive. In any case, this works only if compiled
# with regular expression support compiled into the program.
#
# ValidCommands		ABOR, PASS, PASV, STOR, USER, \
#			MODE, QUIT, SYST

#
# This file will be presented to all clients immediately after
# the connection has been established. Each line is prefixed
# with "220-". The whole message is followed by a standard
# "220 <host> FTP server (<version>) ready" or whatever has
# been substituted with WelcomeString below. Escape sequences
# (like %h for hostname; see ftp-proxy.conf(5)) are active.
#
# WelcomeMessage	/etc/proxy-suite/ftp-welcome.txt

#
# If we wanted to disguise as some known other FTP server we
# could use the following option. It replaces the standard
# "<host> FTP server (<version>) ready" in the initial 220
# message. As with all Messages and Strings, various escape
# sequences are available.
#
# WelcomeString		Welcome to %h


############################################################
# $Log: ftp-proxy.conf.sample,v $
# Revision 1.6.2.4  2005/01/11 13:00:01  mt
# fixed default UserNameRule regexp rejecting user
# names where the 3. character is not alphanumeric
#
# Revision 1.6.2.3  2004/03/30 12:04:16  mt
# - changed awk,grep,logger paths to /bin and ServerRoot
#   to /var/lib/ftp-proxy/rundir (/var/ftp-proxy/rundir)
#   in rc-script and config samples
#
# Revision 1.6.2.2  2004/03/22 12:38:12  mt
# added UserNameRule option allowing a regex
# override of the builtin user name checks
#
# Revision 1.6.2.1  2003/05/07 11:07:49  mt
# added ForceMagicUser variable
#
# Revision 1.6  2002/05/02 13:44:52  mt
# added documented user auth related variables
#
# Revision 1.5  2002/01/14 19:15:01  mt
# actualized, added LogLevel TCPWrapperName MaxRecvBufSize options
#
# Revision 1.4  2001/11/06 23:04:44  mt
# applied / merged with transparent proxy patches v8
# see ftp-proxy/NEWS for more detailed release news
#
# Revision 1.3  1999/09/24 06:39:43  wiegand
# added regular expressions for all commands
# removed character map and length of paths
# added flag to reset PASV on every PORT
# added "magic" user with built-in destination
# added some argument pointer fortification
#
# Revision 1.2  1999/09/17 11:04:02  wiegand
# added path name restriction options
#
# Revision 1.1  1999/09/16 07:53:54  wiegand
# initial checkin
#
############################################################