ftp-proxy — format of ftp-proxy component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the ftp-proxy component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in ftp-proxy configuration directives:
yes-no (see common(5))nls (see common(5))permission (see common(5))direction (see common(5))ip-version (see common(5))osi4-proto (see common(5))time-cond (see common(5))zip-mode (see common(5))obligation (see common(5))range-op (see common(5))dbglev (see log(5))logfail-mode (see log(5))week-day (see time(5))month (see time(5))lock-type (see ipc(5))auth-method (see auth(5))virus-status (see antivirus(5))source-address-mode (see source-address(5))transparency (see acl(5))user-auth-spec (see acl(5))doctype-ident-method (see acl(5))header-op (see acl(5))listen-on-sock (see listen-on(5))pass-remove (name-usage obligatory)Passing/removing features.
remove, pass
data-type (name-usage obligatory)Data connection method used to server.
autoNo method is preferred by this particular configuration item.
activeUse active method (PORT command).
passiveUse passive method (EPSV or PASV in case of error).
ftp-cmd (name-usage obligatory)FTP commands
NONE, ABOR, ACCT, ADAT, ALLO, APPE, AUTH, BNB, CCC, CDUP, CLNT, CONF, CPSV, CWD, DELE, ENC, EPRT, EPSV, FEAT, HELP, LANG, LIST, LPRT, LPSV, MDTM, MIC, MKD, MLSD, MLST, MODE, MFMT, MFCT, MFF, MAIL, MLFL, MSAM, MSND, MSOM, MRCP, MRSQ, NLST, NOOP, OPEN, OPTS, PASS, PASSERVE, PASV, PBSZ, PORT, PROT, PWD, QUIT, REIN, REST, RETR, RMD, RNFR, RNTO, SITE, SIZE, SMNT, SSCN, STAT, STOR, STOU, STRU, SYST, TYPE, USER, XCWD, XCUP, XMKD, XPWD, XRMD
UNKNOWNThis "command" setting will be used for all unknown commands.
Configuration of ftp-proxy library component consists of following prototypes:
* ftp-proxy name { ... }
ftp-proxy name {
phase ... ;
* tag ... ;
log-debug { ... }
log-stats { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
app-user ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
source-address ... ;
doctype-identification { ... }
client-ctrl { ... }
server-ctrl { ... }
client-data { ... }
server-data { ... }
init-timeout ... ;
init-cmdlimit ... ;
* data-transfer ... ;
retry-data ... ;
* session-acl name { ... }
* command-acl name { ... }
* doc-acl name { ... }
}
This section defines FTP-proxy attributes.
ftp-proxy section is derived from
proxy section prototype.
For detail description of it, see application(5).
ftp-proxy section:Section udpserver is not valid.
At least one SESSION-ACL must be specified (proxy must be named in some SYSTEM.ACL.SERVICES).
At least one COMMAND-ACL must be specified.
At least one DOC-ACL must be specified.
monitoring (see monitoring(5))Item aproxy-user is not valid.
Item data used as file.
idle-timeout (see application(5))Element seconds is optional, default: 900.
listen-on.non-transparent (see listen-on(5))Element port is optional, default: 21.
Element proto is optional, default: tcp.
listen-on.transparent (see listen-on(5))Element port is optional, default: 21.
Element proto is optional, default: tcp.
doctype-identification.order (see acl(5))Only EXTENSION and MAGIC allowed for doctype identification.
client-ctrl {
recv-bufsize ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Client control connection options.
client-ctrl section is derived from
sock-opt section prototype.
For detail description of it, see netio(5).
client-ctrl section:Item conn-timeout is not valid.
Item recv-timeout is not valid.
Item send-timeout is not valid.
recv-bufsize (see netio(5))Element bytes is optional, default: 1536.
server-ctrl {
conn-timeout ... ;
recv-bufsize ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Server control connection options.
client-data {
conn-timeout ... ;
recv-bufsize ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Client data connection options.
client-data section is derived from
sock-opt section prototype.
For detail description of it, see netio(5).
client-data section:Item recv-timeout is not valid.
Item send-timeout is not valid.
server-data {
conn-timeout ... ;
recv-bufsize ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Server data connection options.
server-data section is derived from
sock-opt section prototype.
For detail description of it, see netio(5).
server-data section:Item recv-timeout is not valid.
Item send-timeout is not valid.
init-timeout [seconds];Initialization timeout.
seconds (type: uint16, optional, default: 120)init-cmdlimit [number];Maximum of initialization commands.
number (type: uint16, optional, default: 10)data-transfer type [list];Data transfer method for particular servers.
type (type: data-type)(AUTO means here that connection method is learned from client)
list (type: host-set, optional, default: *)retry-data [attempts];After succesfull write of one block of data, try several attempts to transfer other ones without checking control connection.
attempts (type: uint8, optional, default: 0)(0 means don't try data, always check control connection
session-acl name {
* from ... ;
* to ... ;
* time ... ;
time-period-set { ... }
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
auth ... ;
idle-timeout ... ;
source-address ... ;
plug-to ... ;
language ... ;
msgs { ... }
hand-off ... ;
data-port ... ;
htftp-mode ... ;
}
The first level ACL decides how to handle incoming connections (namely communication language, authentication procedure, forwarding connection to other server etc.).
session-acl section is derived from
acl-1 section prototype.
For detail description of it, see acl(5).
session-acl section:Item user is not valid.
Item idle-timeout-peer is not valid.
Authentication method must be set.
doctype-ident-order (see acl(5))Only EXTENSION and MAGIC allowed for doctype identification.
auth (see auth(5))OOB authentication mode cannot be ALLOWED.
language code;Language and charset of responses generated by Kernun.
If omitted in SESSION-ACL, English is used.If omitted in higer layer ACLs, settings from lower layer is used.
code (type: nls)msgs {
welcome ... ;
hello-conn ... ;
hello-autr ... ;
hello-aunt ... ;
hello-user ... ;
}
Messages used by FTP-proxy.
welcome text;Initial message, part one: introducing the host.
text (type: str)hello-conn text;Initial message, part two: remote user and host required.
text (type: str)hello-autr text;Initial message, part two: authentication and remote user required.
text (type: str)hello-aunt text;Initial message, part two: authentication user, remote user and host required.
text (type: str)hello-user text;Initial message, part two: remote user required.
text (type: str)[End of section ftp-proxy.session-acl.msgs description.]
hand-off addr cmd [data];Forwarding next-hop proxy.
addr (type: sock)Proxy address:port.
cmd (type: str)Proxy command name (USER or alias of SITE).
data (type: data-type, optional, default: auto)Data transfer method to proxy.
(AUTO means here that no exclusive data transfer mode is required by next-hop proxy)
data-port port;Port used for active data connections to clients.
If omitted, generic port is used.
port (type: port)(non-generic port number/service name)
htftp-mode;Client is served in HTTP<->FTP mode.
[End of section ftp-proxy.session-acl description.]
command-acl name {
* from ... ;
* server ... ;
* user ... ;
* time ... ;
time-period-set { ... }
* session-acl ... ;
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
enable-port ... ;
* command ... ;
* feature ... ;
control-client-altq ... ;
control-server-altq ... ;
data-client-altq ... ;
data-server-altq ... ;
}
The second level ACL decides how to handle particular protocol commands depending on client parameters, destination server, proxy-user etc.
command-acl section is derived from
acl-2 section prototype.
For detail description of it, see acl(5).
command-acl section:Item parent-acl used as session-acl.
Command configuration must be set.
doctype-ident-order (see acl(5))Only EXTENSION and MAGIC allowed for doctype identification.
enable-port;Allow user to specify port.
If omitted, only default port can be used.
command names permit [size size];command names deny;command names abort;Allow/deny particular commands, set size limits.
Each command is checked against COMMAND items in order of their appearance in cfg file, and the first matching one is used. If no one matches, command is denied.
names (type: ftp-cmd-set)(set of commands)
permission)(command permission)
size size (type: uint64, optional, default: 0)(command size limit, 0 = no limit)
feature names [param param] policy;Allow/deny particular features offered by server as a response to the FEAT command.
Each feature found in the response is checked against FEATURE items in order of their appearance in cfg file, and the first matching one is used. If the feature has a parameter then also one is checked against PARAM elem additional to the particular FEATURE items.
If no FEATURE item matches, a default behavior hardcoded in the proxy is used. The strategy is strict: pass only features surely supported by the proxy. The current version of the proxy passes following features: LANG, MDTM, MLST, REST, SIZE, TVFS, TYPE, UTF8.
names (type: str-set)(set of features)
param param (type: str-set, optional, default: *)(feature parameter criterion)
policy (type: pass-remove)(feature passing/removal)
control-client-altq altq [paltq paltq];ALTQ queues for data sent to client on control connection.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
control-server-altq altq [paltq paltq];ALTQ queues for data sent to server on control connection.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
data-client-altq altq [paltq paltq];ALTQ queues for data sent to data on control connection.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
data-server-altq altq [paltq paltq];ALTQ queues for data sent to server on data connection.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
[End of section ftp-proxy.command-acl description.]
doc-acl name {
* from ... ;
* server ... ;
* user ... ;
* time ... ;
time-period-set { ... }
* command-acl ... ;
deny ... ;
accept ... ;
rule ... ;
direction ... ;
* mime-type ... ;
force-doctype-ident ... ;
html-filter ... ;
* filename ... ;
antivirus ... ;
accept-antivirus-status ... ;
control-client-altq ... ;
control-server-altq ... ;
data-client-altq ... ;
data-server-altq ... ;
}
The third level ACL decides how to handle particular files transferred via proxy (denial, antivirus check or filtering) depending on file name, type (guessed from the file name) and transfer direction.
WARNING! Items FILENAME and MIME-TYPE are two different kinds of items. According to general Kernun ACL matching rules they are completely independent and if both present, file must match both conditions to match particular DOC-ACL.
doc-acl section is derived from
acl-3 section prototype.
For detail description of it, see acl(5).
doc-acl section:Item parent-acl used as command-acl.
Item size is not valid.
Item content-type is not valid.
Item virus-status is not valid.
Item modify-header is not valid.
Item replace is not valid.
Item ANTIVIRUS not allowed if DENY is on.
Item ACCEPT-ANTIVIRUS-STATUS not allowed if DENY is on.
filename names;Entry condition - name of transferred file.
names (type: str-set)Only last part of file name (without path) is used for matching
antivirus channel [interval interval] [chunk chunk] [limit limit];Antivirus usage mode.
Check document by antivirus, with settings for passing initial part of unchecked data through the antivirus module during antivirus checking.
channel (type: name-list of antivirus, see antivirus(5))Name of ANTIVIRUS global section used.
interval interval (type: uint16, optional, default: 0)Seconds between passing blocks of unchecked data (0 = do not send unchecked data).
chunk chunk (type: uint32, optional, default: 0)Size of each block of unchecked data.
limit limit (type: uint32, optional, default: 0)Maximum size of unchecked data passed before antivirus check is completed. Remaining data will be passed only after successful checking.
accept-antivirus-status status;Defines set of antivirus status codes (in addition to FREE) that allow further passing of data. Other status codes cause termination of data transfer. If not set, data are passed only if the antivirus returns status FREE.
status (type: virus-status-set)control-client-altq altq [paltq paltq];ALTQ queues for data sent to client on control connection.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
control-server-altq altq [paltq paltq];ALTQ queues for data sent to server on control connection.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
data-client-altq altq [paltq paltq];ALTQ queues for data sent to data on control connection.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
data-server-altq altq [paltq paltq];ALTQ queues for data sent to server on data connection.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
[End of section ftp-proxy.doc-acl description.]
[End of section ftp-proxy description.]