# FTP proxy



## Abstract (Mar 15, 2010)

Hi Everyone,

I've just install squid on my server. Its only available through the localhost and used in
combination of a ssh tunnel. Its all setup in such a way that I can browse the internet 
secure on public networks. Ssh is listing on port 443 so it can even be accessed in the most limited internet connection.

Now I want to let my ftp client also connect to the destination through the ssh tunnel
 using a proxy server. I though squid would do this job, however it doesn't support 
all ftp commands (the version I got). I can't delete or rename any files/directories. 

To solve this I want to have a real ftp proxy server running as well. I came acroos two:

- jftpgw http://www.mcknight.de/jftpgw/
- ftp.proxy http://www.ftpproxy.org/en/ftp.proxy-1.html

I didn't see any allow from settings in the ftp.proxy server. I need to have some 
kind of allow/deny rules to only allow the localhost on this proxy server. 
Can someone give me any advice?

Best Wishes,
Arian


----------



## jemate18 (Mar 16, 2010)

what firewall are you using?

I have a squid/ftp-proxy and PF as my firewall. It works for me...


----------



## Abstract (Mar 16, 2010)

Hi jemate18,

At the moment I only have squid and PF running. I looked into the 
ftp-proxy closely and decided that's what I need for my ftp proxy. 

Thanks Arian


----------



## jemate18 (Mar 16, 2010)

Hi..

here is what you need for pf.conf and ftp-proxy to work.. modify it to suit your needs

```
int="xl1"
ext="xl0"
lan=$int:network   
localhost="127.0.0.1"     
tcp_services = "{www, ftp-proxy, ftp-data, ftp}"
udp_services = "{ domain, ntp}"                 
icmp_types = "{ echoreq, unreach }"             
www="{ 80:83, 8080:8081}"    

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#-----NAT on $ext on traffic from $int to $ext
nat on $ext from $lan to any -> $ext          

# Redirect ftp traffic to ftp-proxy 
rdr on $int inet proto tcp from $lan to any port ftp -> $localhost port ftp-proxy

# Redirect all www traffic to squid proxy server
rdr on $int inet proto tcp from $lan to any port $www -> $localhost port 3128

# Blocks all in and out traffic and logs them via pflog0
block log all                 

# This is needed for FTP proxy
anchor "ftp-proxy/*"          

antispoof quick for {lo $int}

# Allow ping IN and OUT      
pass inet proto icmp all icmp-type $icmp_types

#-------------Squid Transparent Proxy----
pass in on $int inet proto tcp from $lan to $localhost port 3128
pass out on $ext inet proto tcp from $localhost to any port 3128



#-------------FTP Access -------
pass in on $int inet proto {tcp, udp} from $lan to any port ftp:ftp-proxy
pass out on $ext inet proto {tcp, udp} from $ext to any port ftp:ftp-proxy

#------------------Make udp services work----
pass inet proto {tcp, udp} from $lan to $localhost port $udp_services
```



you also need ftpproxy at your rc.conf

`# echo 'ftpproxy_enable="YES"' >> /etc/rc.conf`


----------



## Abstract (Mar 17, 2010)

Hi jemate18,

Thanks for giving me this config file. I always learn a lot of this!

Best Wishes,
Arian


----------



## jemate18 (Mar 20, 2010)

Hi Abstract, were you able to make things work lately?

Regards


----------



## Abstract (Mar 20, 2010)

Hi Jemate18,

I was not able to install this yet. I had to finish some projects and wanted to have 
all the time to play with this, including the firewall. I did check the manual and it
really sounds promising.  

The plan is to almost close all ports on my server including 110, 25 and only have 
80,8080,1935 and 443 open for the outside world. Mail will be retrieved by ssh tunnel
and port forwarding. When doing that I could also install this ftp proxy and 
configure it probably. 

Once that is installed I can finally use a public network safely to connect to ftp, mail
, http, etc without having the risk that my data gets stolen. 

Btw my ssh is listing on port 443 if you are wondering how I can connect to my server with
port 22 closed. Some public networks have port 22 closed as well, I never saw port 443
being closed. Especially because all the bank web interface uses this standard for https 

I'll reply once I've set it up

Best Wishes,
Arian


----------

