a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan FosterHow to setup FTP proxying using the built in proxy code.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster========================================================
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan FosterNOTE: Currently, the built-in FTP proxy is only available for use with NAT
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (i.e. only if you're already using "map" rules with ipnat). It does
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster support null-NAT mappings, that is, using the proxy without changing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster the addresses.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan FosterLets assume your network diagram looks something like this:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster[host A]
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster |a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster---+-------------+----------
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster |b
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster [host B]
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster |c
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster---+-------------+----------
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster |d
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster[host C]
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterand IP Filter is running on host B. If you want to proxy FTP from A to C
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterthen you would do:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fostermap int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterint-c = name of "interface c"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosteripaddr-a = ip# of interface a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosteripaddr-c-net = another ip# on the C-network (usually not the same as the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterinterface).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fostere.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterwhich had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster203.45.67.90, you would do:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fostermap vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterwhere:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosteripaddr-a = 10.1.1.1
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterint-c = vx0
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosteripaddr-c-net = 203.45.67.91
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan FosterThe "map" rule for this proxy should precede any other NAT rules you are
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterusing.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster