# Configuration file for frox transparent ftp-proxy. # Send SIGHUP after editing and it will be reread. This will fail # completely if we are chrooted and the config file isn't within the # dir we are chrooted to, or if we have dropped priveleges and no # longer have permission to read it! We may also no longer have # permission to bind to device. # Address to listen on - default is 0.0.0.0 # # Listen firewall.localnet Listen 192.168.2.1 # Port to listen on. Must be supplied. # Port 12345 # If specified then bind to this device # BindToDevice eth0 # Specify ranges for local ports to use for outgoing connections and # for sending out in PORT commands. By default these are all between # 40000 and 50000, but you might want to split them up if you have # complicated firewalling rules. # # ControlPorts 40000-40999 # PassivePorts 41000-41999 # ActivePorts 42000-42999 # Number of seconds of no activity before closing session # Defaults to 3600 # Timeout 1800 #Maximum number of processes to fork. # # MaxForks 0 # For debugging -- only one connection may be served. MaxForks 10 # User and group to drop priveliges to. Default is not to drop. # User nobody Group nogroup # Directory to chroot to. Default is not to chroot. Filenames for # other options should be within this directory, but specified # relative to /. # # Chroot /usr/local/lib/frox # Block PORT commands asking data to be sent to ports<1024 and # prevent incoming control stream connections from port 20 to # help depend against ftp bounce attacks. Defaults to on. # BounceDefend yes # If true then only accept data connections from the hosts the control # connections are to. Breaks the rfc, and defaults to off. # # SameAddress yes # Try to transparently proxy the data connections as well. Not # necessary for most clients, and does increase security risks. Read # README.transdata for details. Defaults to off. # # TransparentData yes # File to log to. Default is stderr # # LogFile /dev/null # LogFile /usr/local/lib/frox/frox-log # File to store PID in. Default is not to. If this file is not within # the Chroot directory then it cannot be deleted on exit, but will # otherwise work fine. # PidFile /var/run/frox.pid # Caching options. There should be at most one CacheModule line, and # Cache lines to give the options for that caching module. CacheModule # is HTTP (rewrites ftp requests as HTTP and sends them to a HTTP # proxy like squid), or local (cache files locally). The relevant # module needs to have been compiled in at compile time. See # FAQ for details. If there are no CacheModule lines then no # caching will be done. # # CacheModule local # Cache Dir /usr/local/lib/frox/cache/ # Cache CacheSize 400 # # CacheModule squid # Cache HTTPProxy 127.0.0.1:3128 # Cache MinCacheSize 65536 # Active --> Passive conversion. If set then all outgoing connections # from the proxy will be passive FTP, regardless of the type of the # connection coming in. This makes firewalling a lot easier. Defaults # to no. # # APConv yes # Allow non-transparent proxying support. The user can connect # directly to frox, and give his username as user@host:port or # user@host. Defaults to no # # DoNTP yes ######################### # Access control lists. # ######################### # The format is: "ACL Allow|Deny SRC - DST [PORTS]" # SRC and DST may be in the form x.x.x.x, x.x.x.x/yy, x.x.x.x/y.y.y.y, # a dns name, or * to match everything. # # PORTS is a list of ports. If specified then the rule will only match # if the destination port of the connection is in this list. This is # likely only relevant if you are allowing non-transparent proxying of # ftp connections (ie. DoNTP is enabled above). Specifying * is equivalent # to not specifying anything - all ports will be matched # # Any connection that matches no rules will be denied. Since there are # no rules by default you'll need to add something to let any # connections happen at all (look at the last example if you are # feeling lazy/not bothered by security). # # # Examples: # # Allow local network to ftp to port 21 only, and block host ftp.evil # ACL Deny * - ftp.evil # ACL Allow 192.168.0.0/255.255.0.0 - * 21 # # # Allow local network to ftp anywhere except certain dodgy ports. Network # # admin's machine can ftp anywhere. # ACL Allow admin.localnet - * # ACL Deny * - * 1-20,22-1024,6000-6007,7100 # ACL Allow 192.168.0.0/16 - * * # # # You don't really believe in this security stuff, and just want # # everything to work. # ACL Allow * - *