diff options
Diffstat (limited to 'contrib/pf/ftp-proxy')
-rw-r--r-- | contrib/pf/ftp-proxy/ftp-proxy.8 | 45 | ||||
-rw-r--r-- | contrib/pf/ftp-proxy/ftp-proxy.c | 21 | ||||
-rw-r--r-- | contrib/pf/ftp-proxy/util.c | 15 |
3 files changed, 58 insertions, 23 deletions
diff --git a/contrib/pf/ftp-proxy/ftp-proxy.8 b/contrib/pf/ftp-proxy/ftp-proxy.8 index 2832ddbb9d2e7..e68bdde495ccf 100644 --- a/contrib/pf/ftp-proxy/ftp-proxy.8 +++ b/contrib/pf/ftp-proxy/ftp-proxy.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.37 2003/09/05 12:27:47 jmc Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.40 2004/03/16 08:50:07 jmc Exp $ .\" .\" Copyright (c) 1996-2001 .\" Obtuse Systems Corporation, All rights reserved. @@ -36,10 +36,11 @@ .Sh SYNOPSIS .Nm ftp-proxy .Op Fl AnrVw +.Op Fl a Ar address .Op Fl D Ar debuglevel .Op Fl g Ar group -.Op Fl m Ar minport .Op Fl M Ar maxport +.Op Fl m Ar minport .Op Fl t Ar timeout .Op Fl u Ar user .Sh DESCRIPTION @@ -65,6 +66,26 @@ or .Qq anonymous only. Any attempt to log in as another user will be blocked by the proxy. +.It Fl a Ar address +Specify the local IP address to use in +.Xr bind 2 +as the source for connections made by +.Nm ftp-proxy +when connecting to destination FTP servers. +This may be necessary if the interface address of +your default route is not reachable from the destinations +.Nm +is attempting connections to, or this address is different from the one +connections are being NATed to. +In the usual case this means that +.Ar address +should be a publicly visible IP address assigned to one of +the interfaces on the machine running +.Nm +and should be the same address to which you are translating traffic +if you are using the +.Fl n +option. .It Fl D Ar debuglevel Specify a debug level, where the proxy emits verbose debug output into @@ -80,14 +101,6 @@ lookups which require root. By default, .Nm uses the default group of the user it drops privilege to. -.It Fl m Ar minport -Specify the lower end of the port range the proxy will use for all -data connections it establishes. -The default is -.Dv IPPORT_HIFIRSTAUTO -defined in -.Aq Pa netinet/in.h -as 49152. .It Fl M Ar maxport Specify the upper end of the port range the proxy will use for the data connections it establishes. @@ -96,6 +109,14 @@ The default is defined in .Aq Pa netinet/in.h as 65535. +.It Fl m Ar minport +Specify the lower end of the port range the proxy will use for all +data connections it establishes. +The default is +.Dv IPPORT_HIFIRSTAUTO +defined in +.Aq Pa netinet/in.h +as 49152. .It Fl n Activate network address translation .Pq NAT @@ -173,8 +194,8 @@ A typical way to do this would be to use a .Xr pf.conf 5 rule such as .Bd -literal -offset 2n -int_if = xl0 -rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 +int_if = \&"xl0\&" +rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 .Ed .Pp .Xr inetd 8 diff --git a/contrib/pf/ftp-proxy/ftp-proxy.c b/contrib/pf/ftp-proxy/ftp-proxy.c index 88b6fd16b8672..18bc0a619a20c 100644 --- a/contrib/pf/ftp-proxy/ftp-proxy.c +++ b/contrib/pf/ftp-proxy/ftp-proxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ftp-proxy.c,v 1.33 2003/08/22 21:50:34 david Exp $ */ +/* $OpenBSD: ftp-proxy.c,v 1.35 2004/03/14 21:51:44 dhartmei Exp $ */ /* * Copyright (c) 1996-2001 @@ -67,7 +67,7 @@ * - per-user rules perhaps. */ -#include <sys/types.h> +#include <sys/param.h> #include <sys/time.h> #include <sys/socket.h> @@ -148,6 +148,7 @@ char *Group; extern int Debug_Level; extern int Use_Rdns; +extern in_addr_t Bind_Addr; extern char *__progname; typedef enum { @@ -171,9 +172,8 @@ static void usage(void) { syslog(LOG_NOTICE, - "usage: %s [-AnrVw] [-D debuglevel] [-g group] %s %s", - __progname, "[-m minport] [-M maxport] [-t timeout]", - "[-u user]"); + "usage: %s [-AnrVw] [-a address] [-D debuglevel [-g group]" + " [-M maxport] [-m minport] [-t timeout] [-u user]", __progname); exit(EX_USAGE); } @@ -973,9 +973,18 @@ main(int argc, char *argv[]) int use_tcpwrapper = 0; #endif /* LIBWRAP */ - while ((ch = getopt(argc, argv, "D:g:m:M:t:u:AnVwr")) != -1) { + while ((ch = getopt(argc, argv, "a:D:g:m:M:t:u:AnVwr")) != -1) { char *p; switch (ch) { + case 'a': + if (!*optarg) + usage(); + if ((Bind_Addr = inet_addr(optarg)) == INADDR_NONE) { + syslog(LOG_NOTICE, + "%s: invalid address", optarg); + usage(); + } + break; case 'A': AnonFtpOnly = 1; /* restrict to anon usernames only */ break; diff --git a/contrib/pf/ftp-proxy/util.c b/contrib/pf/ftp-proxy/util.c index 3c8b20eab912a..17a88cae6431e 100644 --- a/contrib/pf/ftp-proxy/util.c +++ b/contrib/pf/ftp-proxy/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.16 2003/06/28 01:04:57 deraadt Exp $ */ +/* $OpenBSD: util.c,v 1.18 2004/01/22 16:10:30 beck Exp $ */ /* * Copyright (c) 1996-2001 @@ -58,6 +58,7 @@ int Debug_Level; int Use_Rdns; +in_addr_t Bind_Addr = INADDR_NONE; void debuglog(int debug_level, const char *fmt, ...); @@ -77,7 +78,8 @@ get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr, struct sockaddr_in *client_sa_ptr) { struct pfioc_natlook natlook; - int slen, fd; + socklen_t slen; + int fd; slen = sizeof(*real_server_sa_ptr); if (getsockname(connected_fd, (struct sockaddr *)real_server_sa_ptr, @@ -257,10 +259,13 @@ get_backchannel_socket(int type, int min_port, int max_port, int start_port, bzero(&sa, sizeof sa); sa.sin_family = AF_INET; - if (sap == NULL) - sa.sin_addr.s_addr = INADDR_ANY; + if (Bind_Addr == INADDR_NONE) + if (sap == NULL) + sa.sin_addr.s_addr = INADDR_ANY; + else + sa.sin_addr.s_addr = sap->sin_addr.s_addr; else - sa.sin_addr.s_addr = sap->sin_addr.s_addr; + sa.sin_addr.s_addr = Bind_Addr; /* * Indicate that we want to reuse a port if it happens that the |