]> git.pld-linux.org Git - packages/frox.git/blame - frox.conf
- reverting last change: removing new macros from %p{re,ost}{,un}
[packages/frox.git] / frox.conf
CommitLineData
ec496050 1# Configuration file for frox transparent ftp-proxy.
2
3# Send SIGHUP after editing and it will be reread. This will fail
4# completely if we are chrooted and the config file isn't within the
5# dir we are chrooted to, or if we have dropped priveleges and no
6# longer have permission to read it! We may also no longer have
7# permission to bind to device.
8
9# Address to listen on - default is 0.0.0.0
10#
11# Listen firewall.localnet
12Listen 192.168.2.1
13
14# Port to listen on. Must be supplied.
15#
16Port 12345
17
18# If specified then bind to this device
19#
20BindToDevice eth0
21
22# Specify ranges for local ports to use for outgoing connections and
23# for sending out in PORT commands. By default these are all between
24# 40000 and 50000, but you might want to split them up if you have
25# complicated firewalling rules.
26#
27# ControlPorts 40000-40999
28# PassivePorts 41000-41999
29# ActivePorts 42000-42999
30
31# Number of seconds of no activity before closing session
32# Defaults to 3600
33#
34Timeout 1800
35
36#Maximum number of processes to fork.
37#
38# MaxForks 0 # For debugging -- only one connection may be served.
39MaxForks 10
40
41# User and group to drop priveliges to. Default is not to drop.
42#
43User nobody
44Group nogroup
45
46# Directory to chroot to. Default is not to chroot. Filenames for
47# other options should be within this directory, but specified
48# relative to /.
49#
50# Chroot /usr/local/lib/frox
51
52# Block PORT commands asking data to be sent to ports<1024 and
53# prevent incoming control stream connections from port 20 to
54# help depend against ftp bounce attacks. Defaults to on.
55#
56BounceDefend yes
57
58# If true then only accept data connections from the hosts the control
59# connections are to. Breaks the rfc, and defaults to off.
60#
61# SameAddress yes
62
63# Try to transparently proxy the data connections as well. Not
64# necessary for most clients, and does increase security risks. Read
65# README.transdata for details. Defaults to off.
66#
67# TransparentData yes
68
69# File to log to. Default is stderr
70#
71# LogFile /dev/null
72# LogFile /usr/local/lib/frox/frox-log
73
74# File to store PID in. Default is not to. If this file is not within
75# the Chroot directory then it cannot be deleted on exit, but will
76# otherwise work fine.
77#
78PidFile /var/run/frox.pid
79
80# Caching options. There should be at most one CacheModule line, and
81# Cache lines to give the options for that caching module. CacheModule
82# is HTTP (rewrites ftp requests as HTTP and sends them to a HTTP
83# proxy like squid), or local (cache files locally). The relevant
84# module needs to have been compiled in at compile time. See
85# FAQ for details. If there are no CacheModule lines then no
86# caching will be done.
87#
88# CacheModule local
89# Cache Dir /usr/local/lib/frox/cache/
90# Cache CacheSize 400
91#
92# CacheModule squid
93# Cache HTTPProxy 127.0.0.1:3128
94# Cache MinCacheSize 65536
95
96# Active --> Passive conversion. If set then all outgoing connections
97# from the proxy will be passive FTP, regardless of the type of the
98# connection coming in. This makes firewalling a lot easier. Defaults
99# to no.
100#
101# APConv yes
102
103# Allow non-transparent proxying support. The user can connect
104# directly to frox, and give his username as user@host:port or
105# user@host. Defaults to no
106#
107# DoNTP yes
108
109#########################
110# Access control lists. #
111#########################
112# The format is: "ACL Allow|Deny SRC - DST [PORTS]"
113
114# SRC and DST may be in the form x.x.x.x, x.x.x.x/yy, x.x.x.x/y.y.y.y,
115# a dns name, or * to match everything.
116#
117# PORTS is a list of ports. If specified then the rule will only match
118# if the destination port of the connection is in this list. This is
119# likely only relevant if you are allowing non-transparent proxying of
120# ftp connections (ie. DoNTP is enabled above). Specifying * is equivalent
121# to not specifying anything - all ports will be matched
122#
123# Any connection that matches no rules will be denied. Since there are
124# no rules by default you'll need to add something to let any
125# connections happen at all (look at the last example if you are
126# feeling lazy/not bothered by security).
127#
128# # Examples:
129# # Allow local network to ftp to port 21 only, and block host ftp.evil
130# ACL Deny * - ftp.evil
131# ACL Allow 192.168.0.0/255.255.0.0 - * 21
132#
133# # Allow local network to ftp anywhere except certain dodgy ports. Network
134# # admin's machine can ftp anywhere.
135# ACL Allow admin.localnet - *
136# ACL Deny * - * 1-20,22-1024,6000-6007,7100
137# ACL Allow 192.168.0.0/16 - * *
138#
139# # You don't really believe in this security stuff, and just want
140# # everything to work.
141# ACL Allow * - *
142
This page took 0.172857 seconds and 4 git commands to generate.