Commit resolved import of OpenBSD 4.1 pf userland from perforce.

Approved by:	re (kensmith)

1 files changed, 147 insertions, 257 deletions

diff --git a/contrib/pf/ftp-proxy/ftp-proxy.8 b/contrib/pf/ftp-proxy/ftp-proxy.8
index 125c5e8..69c848e 100644
--- a/contrib/pf/ftp-proxy/ftp-proxy.8
+++ b/contrib/pf/ftp-proxy/ftp-proxy.8
@@ -1,295 +1,185 @@
-.\"	$OpenBSD: ftp-proxy.8,v 1.42 2004/11/19 00:47:23 jmc Exp $
+.\"	$OpenBSD: ftp-proxy.8,v 1.7 2006/12/30 13:01:54 camield Exp $
 .\"
-.\" Copyright (c) 1996-2001
-.\"	Obtuse Systems Corporation, All rights reserved.
+.\" Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
 .\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of the University nor the names of its contributors
-.\"    may be used to endorse or promote products derived from this software
-.\"    without specific prior written permission.
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY OBTUSE SYSTEMS AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL OBTUSE OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 17, 2001
+.Dd November 28, 2004
 .Dt FTP-PROXY 8
 .Os
 .Sh NAME
 .Nm ftp-proxy
-.Nd Internet File Transfer Protocol proxy server
+.Nd Internet File Transfer Protocol proxy daemon
 .Sh SYNOPSIS
 .Nm ftp-proxy
-.Bk -words
-.Op Fl AnrVw
+.Op Fl 6Adrv
 .Op Fl a Ar address
-.Op Fl D Ar debuglevel
-.Op Fl g Ar group
-.Op Fl M Ar maxport
-.Op Fl m Ar minport
-.Op Fl R Ar address[:port]
-.Op Fl S Ar address
+.Op Fl b Ar address
+.Op Fl D Ar level
+.Op Fl m Ar maxsessions
+.Op Fl P Ar port
+.Op Fl p Ar port
+.Op Fl q Ar queue
+.Op Fl R Ar address
 .Op Fl t Ar timeout
-.Op Fl u Ar user
-.Ek
 .Sh DESCRIPTION
 .Nm
 is a proxy for the Internet File Transfer Protocol.
-The proxy uses
+FTP control connections should be redirected into the proxy using the
 .Xr pf 4
-and expects to have the FTP control connection as described in
-.Xr services 5
-redirected to it via a
+.Ar rdr
+command, after which the proxy connects to the server on behalf of
+the client.
+.Pp
+The proxy allows data connections to pass, rewriting and redirecting
+them so that the right addresses are used.
+All connections from the client to the server have their source
+address rewritten so they appear to come from the proxy.
+Consequently, all connections from the server to the proxy have
+their destination address rewritten, so they are redirected to the
+client.
+The proxy uses the
 .Xr pf 4
-.Em rdr
-command.
-An example of how to do that is further down in this document.
+.Ar anchor
+facility for this.
+.Pp
+Assuming the FTP control connection is from $client to $server, the
+proxy connected to the server using the $proxy source address, and
+$port is negotiated, then
+.Nm ftp-proxy
+adds the following rules to the various anchors.
+(These example rules use inet, but the proxy also supports inet6.)
+.Pp
+In case of active mode (PORT or EPRT):
+.Bd -literal -offset 2n
+rdr from $server to $proxy port $port -> $client
+pass quick inet proto tcp \e
+    from $server to $client port $port
+.Ed
+.Pp
+In case of passive mode (PASV or EPSV):
+.Bd -literal -offset 2n
+nat from $client to $server port $port -> $proxy
+pass in quick inet proto tcp \e
+    from $client to $server port $port
+pass out quick inet proto tcp \e
+    from $proxy to $server port $port
+.Ed
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
+.It Fl 6
+IPv6 mode.
+The proxy will expect and use IPv6 addresses for all communication.
+Only the extended FTP modes EPSV and EPRT are allowed with IPv6.
+The proxy is in IPv4 mode by default.
 .It Fl A
-Permit only anonymous FTP connections.
-The proxy will allow connections to log in to other sites as the user
-.Qq ftp
-or
-.Qq anonymous
-only.
-Any attempt to log in as another user will be blocked by the proxy.
+Only permit anonymous FTP connections.
+Either user "ftp" or user "anonymous" is allowed.
 .It Fl a Ar address
-Specify the local IP address to use in
-.Xr bind 2
-as the source for connections made by
-.Nm ftp-proxy
-when connecting to destination FTP servers.
-This may be necessary if the interface address of
-your default route is not reachable from the destinations
-.Nm
-is attempting connections to, or this address is different from the one
-connections are being NATed to.
-In the usual case this means that
-.Ar address
-should be a publicly visible IP address assigned to one of
-the interfaces on the machine running
-.Nm
-and should be the same address to which you are translating traffic
-if you are using the
-.Fl n
-option.
-.It Fl D Ar debuglevel
-Specify a debug level, where the proxy emits verbose debug output
-into
-.Xr syslogd 8
-at level
-.Dv LOG_DEBUG .
-Meaningful values of debuglevel are 0-3, where 0 is no debug output and
-3 is lots of debug output, the default being 0.
-.It Fl g Ar group
-Specify the named group to drop group privileges to, after doing
-.Xr pf 4
-lookups which require root.
-By default,
-.Nm
-uses the default group of the user it drops privilege to.
-.It Fl M Ar maxport
-Specify the upper end of the port range the proxy will use for the
-data connections it establishes.
-The default is
-.Dv IPPORT_HILASTAUTO
-defined in
-.Aq Pa netinet/in.h
-as 65535.
-.It Fl m Ar minport
-Specify the lower end of the port range the proxy will use for all
-data connections it establishes.
-The default is
-.Dv IPPORT_HIFIRSTAUTO
-defined in
-.Aq Pa netinet/in.h
-as 49152.
-.It Fl n
-Activate network address translation
-.Pq NAT
-mode.
-In this mode, the proxy will not attempt to proxy passive mode
-.Pq PASV or EPSV
-data connections.
-In order for this to work, the machine running the proxy will need to
-be forwarding packets and doing network address translation to allow
-the outbound passive connections from the client to reach the server.
-See
-.Xr pf.conf 5
-for more details on NAT.
-The proxy only ignores passive mode data connections when using this flag;
-it will still proxy PORT and EPRT mode data connections.
-Without this flag,
-.Nm
-does not require any IP forwarding or NAT beyond the
-.Em rdr
-necessary to capture the FTP control connection.
-.It Fl R Ar address:[port]
-Reverse proxy mode for FTP servers running behind a NAT gateway.
-In this mode, no redirection is needed.
-The proxy is run from
-.Xr inetd 8
-on the port that external clients connect to (usually 21).
-Control connections and passive data connections are forwarded
-to the server.
+The proxy will use this as the source address for the control
+connection to a server.
+.It Fl b Ar address
+Address where the proxy will listen for redirected control connections.
+The default is 127.0.0.1, or ::1 in IPv6 mode.
+.It Fl D Ar level
+Debug level, ranging from 0 to 7.
+Higher is more verbose.
+The default is 5.
+(These levels correspond to the
+.Xr syslog 3
+levels.)
+.It Fl d
+Do not daemonize.
+The process will stay in the foreground, logging to standard error.
+.It Fl m Ar maxsessions
+Maximum number of concurrent FTP sessions.
+When the proxy reaches this limit, new connections are denied.
+The default is 100 sessions.
+The limit can be lowered to a minimum of 1, or raised to a maximum of 500.
+.It Fl P Ar port
+Fixed server port.
+Only used in combination with
+.Fl R .
+The default is port 21.
+.It Fl p Ar port
+Port where the proxy will listen for redirected connections.
+The default is port 8021.
+.It Fl q Ar queue
+Create rules with queue
+.Ar queue
+appended, so that data connections can be queued.
+.It Fl R Ar address
+Fixed server address, also known as reverse mode.
+The proxy will always connect to the same server, regardless of
+where the client wanted to connect to (before it was redirected).
+Use this option to proxy for a server behind NAT, or to forward all
+connections to another proxy.
 .It Fl r
-Use reverse host
-.Pq reverse DNS
-lookups for logging and libwrap use.
-By default,
-the proxy does not look up hostnames for libwrap or logging purposes.
-.It Fl S Ar address
-Source address to use for data connections made by the proxy.
-Useful when there are multiple addresses (aliases) available
-to the proxy.
-Clients may expect data connections to have the same source
-address as the control connections, and reject or drop other
-connections.
+Rewrite sourceport to 20 in active mode to suit ancient clients that insist
+on this RFC property.
 .It Fl t Ar timeout
-Specifies a timeout, in seconds.
-The proxy will exit and close open connections if it sees no data
-for the duration of the timeout.
-The default is 0, which means the proxy will not time out.
-.It Fl u Ar user
-Specify the named user to drop privilege to, after doing
-.Xr pf 4
-lookups which require root privilege.
-By default,
-.Nm
-drops privilege to the user
-.Em proxy .
-.Pp
-Running as root means that the source of data connections the proxy makes
-for PORT and EPRT will be the RFC mandated port 20.
-When running as a non-root user, the source of the data connections from
-.Nm
-will be chosen randomly from the range
-.Ar minport
-to
-.Ar maxport
-as described above.
-.It Fl V
-Be verbose.
-With this option the proxy logs the control commands
-sent by clients and the replies sent by the servers to
-.Xr syslogd 8 .
-.It Fl w
-Use the tcp wrapper access control library
-.Xr hosts_access 3 ,
-allowing connections to be allowed or denied based on the tcp wrapper's
-.Xr hosts.allow 5
-and
-.Xr hosts.deny 5
-files.
-The proxy does libwrap operations after determining the destination
-of the captured control connection, so that tcp wrapper rules may
-be written based on the destination as well as the source of FTP connections.
+Number of seconds that the control connection can be idle, before the
+proxy will disconnect.
+The maximum is 86400 seconds, which is also the default.
+Do not set this too low, because the control connection is usually
+idle when large data transfers are taking place.
+.It Fl v
+Set the 'log' flag on pf rules committed by
+.Nm .
+Use twice to set the 'log-all' flag.
+The pf rules do not log by default.
 .El
-.Pp
-.Nm ftp-proxy
-is run from
-.Xr inetd 8
-and requires that FTP connections are redirected to it using a
-.Em rdr
-rule.
-A typical way to do this would be to use a
+.Sh CONFIGURATION
+To make use of the proxy,
 .Xr pf.conf 5
-rule such as
-.Bd -literal -offset 2n
-int_if = \&"xl0\&"
-rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
-.Ed
+needs the following rules.
+All anchors are mandatory.
+Adjust the rules as needed.
 .Pp
-.Xr inetd 8
-must then be configured to run
-.Nm
-on the port from above using
+In the NAT section:
 .Bd -literal -offset 2n
-ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
+nat-anchor "ftp-proxy/*"
+rdr-anchor "ftp-proxy/*"
+rdr pass on $int_if proto tcp from $lan to any port 21 -> \e
+    127.0.0.1 port 8021
 .Ed
 .Pp
-in
-.Xr inetd.conf 5 .
-.Pp
-.Nm
-accepts the redirected control connections and forwards them
-to the server.
-The proxy replaces the address and port number that the client
-sends through the control connection to the server with its own
-address and proxy port, where it listens for the data connection.
-When the server opens the data connection back to this port, the
-proxy forwards it to the client.
-The
-.Xr pf.conf 5
-rules need to let pass connections to these proxy ports
-(see options
-.Fl u , m ,
-and
-.Fl M
-above) in on the external interface.
-The following example allows only ports 49152 to 65535 to pass in
-statefully:
-.Bd -literal -offset indent
-block in on $ext_if proto tcp all
-pass  in on $ext_if inet proto tcp from any to $ext_if \e
-    port > 49151 keep state
-.Ed
-.Pp
-Alternatively, rules can make use of the fact that by default,
-.Nm
-runs as user
-.Qq proxy
-to allow the backchannel connections, as in the following example:
-.Bd -literal -offset indent
-block in on $ext_if proto tcp all
-pass  in on $ext_if inet proto tcp from any to $ext_if \e
-    user proxy keep state
+In the rule section:
+.Bd -literal -offset 2n
+anchor "ftp-proxy/*"
+pass out proto tcp from $proxy to any port 21
 .Ed
-.Pp
-These examples do not cover the connections from the proxy to the
-foreign FTP server.
-If one does not pass outgoing connections by default additional rules
-are needed.
 .Sh SEE ALSO
 .Xr ftp 1 ,
 .Xr pf 4 ,
-.Xr hosts.allow 5 ,
-.Xr hosts.deny 5 ,
-.Xr inetd.conf 5 ,
-.Xr pf.conf 5 ,
-.Xr inetd 8 ,
-.Xr pfctl 8 ,
-.Xr syslogd 8
-.Sh BUGS
-Extended Passive mode
-.Pq EPSV
-is not supported by the proxy and will not work unless the proxy is run
-in network address translation mode.
-When not in network address translation mode, the proxy returns an error
-to the client, hopefully forcing the client to revert to passive mode
-.Pq PASV
-which is supported.
-EPSV will work in network address translation mode, assuming a
 .Xr pf.conf 5
-setup which allows the EPSV connections through to their destinations.
+.Sh CAVEATS
+.Xr pf 4
+does not allow the ruleset to be modified if the system is running at a
+.Xr securelevel 7
+higher than 1.
+At that level
+.Nm ftp-proxy
+cannot add rules to the anchors and FTP data connections may get blocked.
+.Pp
+Negotiated data connection ports below 1024 are not allowed.
 .Pp
-IPv6 is not yet supported.
+The negotiated IP address for active modes is ignored for security
+reasons.
+This makes third party file transfers impossible.
+.Pp
+.Nm ftp-proxy
+chroots to "/var/empty" and changes to user "proxy" to drop privileges.