The QND guide to using ftpproxy with FreeBSD

Back to main page

The Quick-N-Dirty Guide to using ftpproxy with FreeBSD

The ftpproxy program's use is fairly evident from its name. It forwards ftp requests from one server to another server. In my case, I needed it because we were out of public IP addresses, and had a very limited need for an ftp server available on the Internet.

There is also an ftp-proxy which is included in a FreeBSD base install. It is found in /usr/libexec, and is intended for use with the pf packet filter. Its man page gives good examples of what should be added to pf.conf to use it on a machine with two interfaces. However, in my case, it was needed on a server with one ethernet interface behind a firewall. The firewall has a public address and forwards requests to a webserver, with an internal 192.168.1.x address on the local network.

For purposes of example, we'll say the web server is called web.example.com and has an internal address of 192.168.1.20. I wanted the web server to forward ftp requests to another machine, with an address of 192.168.8.25.

2.) Installing ftpproxy

This is quite simple. As usual in FreeBSD one can use the ports system.

cd /usr/ports/ftp/ftpproxy
make install clean

Once installed, I took a quick look at the man page. I tried man ftpproxy with no result. It turns out that the program is called ftp.proxy. Once I figured this out, the rest was relatively simple.

3.) Configuring ftpproxy

Configuration in my case was quite simple. All I needed was for ftpproxy to point to 192.168.8.25.

As the man page explains, ftpproxy is run from inetd. Therefore, if one isn't already running inetd add the following line to /etc/rc.conf.

inetd_enable="YES"

According to the man page, ftpproxy can also be run in standalone mode, but I didn't try this. The somewhat sparse documentation on their web site indicates that it is usually started from inetd.

After adding the inetd line to /etc/rc.conf, edit /etc/inetd.conf. There are a few lines towards the top referring to ftp. I added a line underneath them.

ftp stream tcp nowait nobody /usr/local/sbin/ftp.proxy ftp.proxy 192.168.8.25

(If your browser broke that it should be one line)

Once this is done, start (or restart if it's already running) inetd.

/etc/rc.d/inetd start

There are other options that can be used, however, I just needed a very simple configuration as a client had to download some files. Therefore, we didn't even add any cnames, I just had the client ftp to web.example.com and they were redirected to the ftp server.

References

The ftpproxy web page
man(1) ftp.proxy
(Note that the man page is ftp.proxy, not ftpproxy. Also don't confuse it with the builtin ftp-proxy)