|
Previous | Table of Contents | Next |
A second means of specifying the remote through the proxy is through the passerve servername option, which causes the proxy to immediately connect to the specified remote system. This is useful in supporting modified ftp clients that understand the proxy.
Options
-a autheduser
This option is provided for versions of ftpd that may exec () the proxy if given a user@host type address, where the user has already authenticated to the ftpd. If this option is provided, ftp-gw will treat the session as if it has been authenticated for the specified user. If this option is enabled, care should be taken to ensure that the FTP gateway is running on a host with restricted access, to prevent local users from attempting to spoof the authentication. The version of ftpd used should only pass this parameter when the user has been adequately authenticated.
-u user@host
This option enables a user@host destination to be passed directly to the proxy, for versions of ftpd that recognize user@host addresses.
ftp-gw reads its configuration rules and permissions information from the firewall configuration table netperm-table, and retrieves all rules specified for ftp-gw. The following configuration rules are recognized:
userid user
These rules specify a numeric user-id or the name of a password file entry. If this value is specified, ftp-gw will set its user-id before providing service. Note that this option is included mostly for completeness; ftp-gw performs no local operations that are likely to introduce a security hole.
To specify a directory to which ftp-gw will chroot(2) prior to providing service, use the command:
directory pathname
The name of a file to display to the remote user if he or she is denied permission to use the proxy is entered with the command:
denial-msg filename
If this option is not set, a default message is generated. When the denial-msg file is displayed to the remote user, each line is prefixed with the FTP codes for permission denied.
To specify the name of a file to display as a welcome banner upon successful connection, use the command:
welcome-msg filename
If this option is not set, a default message is generated. The help command can also be used to display a particular file you want to use for help. To specify the file to use if help is issued, use the command:
help-msg filename
If this option is not set, a list of the internal commands is printed.
To specify the name of a file to display if a user attempts to connect to a remote server for which he or she is restricted, use the command:
denydest-msg filename
If this option is not set, a default message is generated.
The following command specifies the idle timeout value in seconds:
timeout seconds
When the specified number of seconds elapses with no activity through the proxy server, it will disconnect. If this value is not set, no timeout is enforced.
The following rules specify host and access permissions:
hosts host-pattern [host-pattern2 ] [ options ]
Typically, a hosts rule will be in the form of:
ftp-gw: deny-hosts unknown ftp-gw: hosts192.33.112.* 192.94.214.* -log { retr stor }
There may be several host patterns following the hosts keyword, ending with the first optional parameter beginning with -. Optional parameters permit the selective enabling or disabling of logging information. Sub-options include:
-log operation -log { operation1 operation2 }
-auth operation -auth { operation1 operation2 }
-dest pattern -dest { pattern1 pattern2 }
-dest !*.mit.edu -dest *
-deny operation -deny { operation1 operation2 }
Previous | Table of Contents | Next |