]>
Commit | Line | Data |
---|---|---|
ec496050 | 1 | # Configuration file for frox transparent ftp-proxy. |
2 | ||
3 | # Send SIGHUP after editing and it will be reread. This will fail | |
4 | # completely if we are chrooted and the config file isn't within the | |
5 | # dir we are chrooted to, or if we have dropped priveleges and no | |
6 | # longer have permission to read it! We may also no longer have | |
7 | # permission to bind to device. | |
8 | ||
9 | # Address to listen on - default is 0.0.0.0 | |
10 | # | |
11 | # Listen firewall.localnet | |
12 | Listen 192.168.2.1 | |
13 | ||
14 | # Port to listen on. Must be supplied. | |
15 | # | |
16 | Port 12345 | |
17 | ||
18 | # If specified then bind to this device | |
19 | # | |
20 | BindToDevice eth0 | |
21 | ||
22 | # Specify ranges for local ports to use for outgoing connections and | |
23 | # for sending out in PORT commands. By default these are all between | |
24 | # 40000 and 50000, but you might want to split them up if you have | |
25 | # complicated firewalling rules. | |
26 | # | |
27 | # ControlPorts 40000-40999 | |
28 | # PassivePorts 41000-41999 | |
29 | # ActivePorts 42000-42999 | |
30 | ||
31 | # Number of seconds of no activity before closing session | |
32 | # Defaults to 3600 | |
33 | # | |
34 | Timeout 1800 | |
35 | ||
36 | #Maximum number of processes to fork. | |
37 | # | |
38 | # MaxForks 0 # For debugging -- only one connection may be served. | |
39 | MaxForks 10 | |
40 | ||
41 | # User and group to drop priveliges to. Default is not to drop. | |
42 | # | |
43 | User nobody | |
44 | Group nogroup | |
45 | ||
46 | # Directory to chroot to. Default is not to chroot. Filenames for | |
47 | # other options should be within this directory, but specified | |
48 | # relative to /. | |
49 | # | |
50 | # Chroot /usr/local/lib/frox | |
51 | ||
52 | # Block PORT commands asking data to be sent to ports<1024 and | |
53 | # prevent incoming control stream connections from port 20 to | |
54 | # help depend against ftp bounce attacks. Defaults to on. | |
55 | # | |
56 | BounceDefend yes | |
57 | ||
58 | # If true then only accept data connections from the hosts the control | |
59 | # connections are to. Breaks the rfc, and defaults to off. | |
60 | # | |
61 | # SameAddress yes | |
62 | ||
63 | # Try to transparently proxy the data connections as well. Not | |
64 | # necessary for most clients, and does increase security risks. Read | |
65 | # README.transdata for details. Defaults to off. | |
66 | # | |
67 | # TransparentData yes | |
68 | ||
69 | # File to log to. Default is stderr | |
70 | # | |
71 | # LogFile /dev/null | |
72 | # LogFile /usr/local/lib/frox/frox-log | |
73 | ||
74 | # File to store PID in. Default is not to. If this file is not within | |
75 | # the Chroot directory then it cannot be deleted on exit, but will | |
76 | # otherwise work fine. | |
77 | # | |
78 | PidFile /var/run/frox.pid | |
79 | ||
80 | # Caching options. There should be at most one CacheModule line, and | |
81 | # Cache lines to give the options for that caching module. CacheModule | |
82 | # is HTTP (rewrites ftp requests as HTTP and sends them to a HTTP | |
83 | # proxy like squid), or local (cache files locally). The relevant | |
84 | # module needs to have been compiled in at compile time. See | |
85 | # FAQ for details. If there are no CacheModule lines then no | |
86 | # caching will be done. | |
87 | # | |
88 | # CacheModule local | |
89 | # Cache Dir /usr/local/lib/frox/cache/ | |
90 | # Cache CacheSize 400 | |
91 | # | |
92 | # CacheModule squid | |
93 | # Cache HTTPProxy 127.0.0.1:3128 | |
94 | # Cache MinCacheSize 65536 | |
95 | ||
96 | # Active --> Passive conversion. If set then all outgoing connections | |
97 | # from the proxy will be passive FTP, regardless of the type of the | |
98 | # connection coming in. This makes firewalling a lot easier. Defaults | |
99 | # to no. | |
100 | # | |
101 | # APConv yes | |
102 | ||
103 | # Allow non-transparent proxying support. The user can connect | |
104 | # directly to frox, and give his username as user@host:port or | |
105 | # user@host. Defaults to no | |
106 | # | |
107 | # DoNTP yes | |
108 | ||
109 | ######################### | |
110 | # Access control lists. # | |
111 | ######################### | |
112 | # The format is: "ACL Allow|Deny SRC - DST [PORTS]" | |
113 | ||
114 | # SRC and DST may be in the form x.x.x.x, x.x.x.x/yy, x.x.x.x/y.y.y.y, | |
115 | # a dns name, or * to match everything. | |
116 | # | |
117 | # PORTS is a list of ports. If specified then the rule will only match | |
118 | # if the destination port of the connection is in this list. This is | |
119 | # likely only relevant if you are allowing non-transparent proxying of | |
120 | # ftp connections (ie. DoNTP is enabled above). Specifying * is equivalent | |
121 | # to not specifying anything - all ports will be matched | |
122 | # | |
123 | # Any connection that matches no rules will be denied. Since there are | |
124 | # no rules by default you'll need to add something to let any | |
125 | # connections happen at all (look at the last example if you are | |
126 | # feeling lazy/not bothered by security). | |
127 | # | |
128 | # # Examples: | |
129 | # # Allow local network to ftp to port 21 only, and block host ftp.evil | |
130 | # ACL Deny * - ftp.evil | |
131 | # ACL Allow 192.168.0.0/255.255.0.0 - * 21 | |
132 | # | |
133 | # # Allow local network to ftp anywhere except certain dodgy ports. Network | |
134 | # # admin's machine can ftp anywhere. | |
135 | # ACL Allow admin.localnet - * | |
136 | # ACL Deny * - * 1-20,22-1024,6000-6007,7100 | |
137 | # ACL Allow 192.168.0.0/16 - * * | |
138 | # | |
139 | # # You don't really believe in this security stuff, and just want | |
140 | # # everything to work. | |
141 | # ACL Allow * - * | |
142 |