From 3e579676ecf6a38c5af3b088610a6aa00b9d3fe0 Mon Sep 17 00:00:00 2001 From: Daniel Hartmeier Date: Tue, 6 Jul 2004 19:49:12 +0000 Subject: The 'reverse ftp-proxy' mode adds a command line option -R to ftp-proxy which proxies connection from external ftp clients to an internal ftp server, supporting client passive mode (where server listens on a random port for data connections, and the client connects to the server for data connections). This is the reverse mode to normal operation, where ftp-proxy proxies connections from local clients to external servers, supporting client active mode. ok beck@, henning@ --- libexec/ftp-proxy/ftp-proxy.8 | 19 ++++++++++++++- libexec/ftp-proxy/ftp-proxy.c | 55 ++++++++++++++++++++++++++++++++++++++----- libexec/ftp-proxy/util.c | 17 ++++++++----- libexec/ftp-proxy/util.h | 4 ++-- 4 files changed, 80 insertions(+), 15 deletions(-) diff --git a/libexec/ftp-proxy/ftp-proxy.8 b/libexec/ftp-proxy/ftp-proxy.8 index e68bdde495c..508dbb124e2 100644 --- a/libexec/ftp-proxy/ftp-proxy.8 +++ b/libexec/ftp-proxy/ftp-proxy.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.40 2004/03/16 08:50:07 jmc Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.41 2004/07/06 19:49:11 dhartmei Exp $ .\" .\" Copyright (c) 1996-2001 .\" Obtuse Systems Corporation, All rights reserved. @@ -41,6 +41,8 @@ .Op Fl g Ar group .Op Fl M Ar maxport .Op Fl m Ar minport +.Op Fl R Ar address[:port] +.Op Fl S Ar address .Op Fl t Ar timeout .Op Fl u Ar user .Sh DESCRIPTION @@ -143,6 +145,21 @@ Use reverse host lookups for logging and libwrap use. By default, the proxy does not look up hostnames for libwrap or logging purposes. +.It Fl R Ar address:[port] +Reverse proxy mode for FTP servers running behind a NAT gateway. +In this mode, no redirection is needed. +The proxy is run from +.Xr inetd 8 +on the port that external clients connect to (usually 21). +Control connections and passive data connections are forwarded +to the server. +.It Fl S Ar address +Source address to use for data connections made by the proxy. +Useful when there are multiple addresses (aliases) available +to the proxy. +Clients may expect data connections to have the same source +address as the control connections, and reject or drop other +connections. .It Fl t Ar timeout Specifies a timeout, in seconds. The proxy will exit and close open connections if it sees no data diff --git a/libexec/ftp-proxy/ftp-proxy.c b/libexec/ftp-proxy/ftp-proxy.c index 18bc0a619a2..d454f487565 100644 --- a/libexec/ftp-proxy/ftp-proxy.c +++ b/libexec/ftp-proxy/ftp-proxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ftp-proxy.c,v 1.35 2004/03/14 21:51:44 dhartmei Exp $ */ +/* $OpenBSD: ftp-proxy.c,v 1.36 2004/07/06 19:49:11 dhartmei Exp $ */ /* * Copyright (c) 1996-2001 @@ -128,6 +128,8 @@ double xfer_start_time; struct sockaddr_in real_server_sa; struct sockaddr_in client_listen_sa; struct sockaddr_in server_listen_sa; +struct sockaddr_in proxy_sa; +struct in_addr src_addr; int client_listen_socket = -1; /* Only used in PASV mode */ int client_data_socket = -1; /* Connected socket to real client */ @@ -138,6 +140,7 @@ int client_data_bytes, server_data_bytes; int AnonFtpOnly; int Verbose; int NatMode; +int ReverseMode; char ClientName[NI_MAXHOST]; char RealServerName[NI_MAXHOST]; @@ -173,7 +176,8 @@ usage(void) { syslog(LOG_NOTICE, "usage: %s [-AnrVw] [-a address] [-D debuglevel [-g group]" - " [-M maxport] [-m minport] [-t timeout] [-u user]", __progname); + " [-M maxport] [-m minport] [-t timeout] [-u user]" + " [-R addr[:port]] [-S addr]", __progname); exit(EX_USAGE); } @@ -555,7 +559,7 @@ connect_port_backchannel(void) salen = 1; listen_sa.sin_family = AF_INET; - bzero(&listen_sa.sin_addr, sizeof(struct in_addr)); + bcopy(&src_addr, &listen_sa.sin_addr, sizeof(struct in_addr)); listen_sa.sin_port = htons(20); if (setsockopt(client_data_socket, SOL_SOCKET, SO_REUSEADDR, @@ -925,7 +929,10 @@ do_server_reply(struct csiob *server, struct csiob *client) new_dataconn(0); connection_mode = PASV_MODE; - iap = &(server->sa.sin_addr); + if (ReverseMode) + iap = &(proxy_sa.sin_addr); + else + iap = &(server->sa.sin_addr); debuglog(1, "we want client to use %s:%u", inet_ntoa(*iap), htons(client_listen_sa.sin_port)); @@ -973,7 +980,7 @@ main(int argc, char *argv[]) int use_tcpwrapper = 0; #endif /* LIBWRAP */ - while ((ch = getopt(argc, argv, "a:D:g:m:M:t:u:AnVwr")) != -1) { + while ((ch = getopt(argc, argv, "a:D:g:m:M:R:S:t:u:AnVwr")) != -1) { char *p; switch (ch) { case 'a': @@ -1016,6 +1023,41 @@ main(int argc, char *argv[]) case 'r': Use_Rdns = 1; /* look up hostnames */ break; + case 'R': { + char *s, *t; + + if (!*optarg) + usage(); + if ((s = strdup(optarg)) == NULL) { + syslog (LOG_NOTICE, + "Insufficient memory (malloc failed)"); + exit(EX_UNAVAILABLE); + } + memset(&real_server_sa, 0, sizeof(real_server_sa)); + real_server_sa.sin_len = sizeof(struct sockaddr_in); + real_server_sa.sin_family = AF_INET; + t = strchr(s, ':'); + if (t == NULL) + real_server_sa.sin_port = htons(21); + else { + long port = strtol(t + 1, &p, 10); + + if (*p || port <= 0 || port > 65535) + usage(); + real_server_sa.sin_port = htons(port); + *t = 0; + } + real_server_sa.sin_addr.s_addr = inet_addr(s); + if (real_server_sa.sin_addr.s_addr == INADDR_NONE) + usage(); + free(s); + ReverseMode = 1; + break; + } + case 'S': + if (!inet_aton(optarg, &src_addr)) + usage(); + break; case 't': timeout_seconds = strtol(optarg, &p, 10); if (!*optarg || *p) @@ -1051,7 +1093,8 @@ main(int argc, char *argv[]) memset(&client_iob, 0, sizeof(client_iob)); memset(&server_iob, 0, sizeof(server_iob)); - if (get_proxy_env(0, &real_server_sa, &client_iob.sa) == -1) + if (get_proxy_env(0, &real_server_sa, &client_iob.sa, + &proxy_sa) == -1) exit(EX_PROTOCOL); /* diff --git a/libexec/ftp-proxy/util.c b/libexec/ftp-proxy/util.c index 17a88cae643..61c9f1f1bc8 100644 --- a/libexec/ftp-proxy/util.c +++ b/libexec/ftp-proxy/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.18 2004/01/22 16:10:30 beck Exp $ */ +/* $OpenBSD: util.c,v 1.19 2004/07/06 19:49:11 dhartmei Exp $ */ /* * Copyright (c) 1996-2001 @@ -56,6 +56,8 @@ #include "util.h" +extern int ReverseMode; + int Debug_Level; int Use_Rdns; in_addr_t Bind_Addr = INADDR_NONE; @@ -75,14 +77,14 @@ debuglog(int debug_level, const char *fmt, ...) int get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr, - struct sockaddr_in *client_sa_ptr) + struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr) { struct pfioc_natlook natlook; socklen_t slen; int fd; - slen = sizeof(*real_server_sa_ptr); - if (getsockname(connected_fd, (struct sockaddr *)real_server_sa_ptr, + slen = sizeof(*proxy_sa_ptr); + if (getsockname(connected_fd, (struct sockaddr *)proxy_sa_ptr, &slen) != 0) { syslog(LOG_ERR, "getsockname() failed (%m)"); return(-1); @@ -94,6 +96,9 @@ get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr, return(-1); } + if (ReverseMode) + return(0); + /* * Build up the pf natlook structure. * Just for IPv4 right now @@ -101,10 +106,10 @@ get_proxy_env(int connected_fd, struct sockaddr_in *real_server_sa_ptr, memset((void *)&natlook, 0, sizeof(natlook)); natlook.af = AF_INET; natlook.saddr.addr32[0] = client_sa_ptr->sin_addr.s_addr; - natlook.daddr.addr32[0] = real_server_sa_ptr->sin_addr.s_addr; + natlook.daddr.addr32[0] = proxy_sa_ptr->sin_addr.s_addr; natlook.proto = IPPROTO_TCP; natlook.sport = client_sa_ptr->sin_port; - natlook.dport = real_server_sa_ptr->sin_port; + natlook.dport = proxy_sa_ptr->sin_port; natlook.direction = PF_OUT; /* diff --git a/libexec/ftp-proxy/util.h b/libexec/ftp-proxy/util.h index 597cd18d33b..057ed26f6a6 100644 --- a/libexec/ftp-proxy/util.h +++ b/libexec/ftp-proxy/util.h @@ -1,4 +1,4 @@ -/* $OpenBSD: util.h,v 1.3 2002/05/23 10:22:14 deraadt Exp $ */ +/* $OpenBSD: util.h,v 1.4 2004/07/06 19:49:11 dhartmei Exp $ */ /* * Copyright (c) 1996-2001 @@ -55,7 +55,7 @@ extern int telnet_getline(struct csiob *iobp, struct csiob *telnet_passthrough); extern int get_proxy_env(int fd, struct sockaddr_in *server_sa_ptr, - struct sockaddr_in *client_sa_ptr); + struct sockaddr_in *client_sa_ptr, struct sockaddr_in *proxy_sa_ptr); extern int get_backchannel_socket(int type, int min_port, int max_port, int start_port, int direction, struct sockaddr_in *sap); -- cgit v1.2.3