ftp-proxy upgrade instructions

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

ftp-proxy upgrade instructions

Camiel Dobbelaar
ftp-proxy in -current has been replaced with a new one that was previously
called pftpx.

Upgrade instructions are as follows:

(1) the new proxy runs standalone, not from inetd

Stop the old one by disabling the entry in /etc/inetd.conf and HUP inetd.

Start the new one by updating /etc/rc and /etc/rc.conf and using
ftpproxy_flags="".  Alternatively, it can simply be started by calling
/usr/sbin/ftp-proxy from /etc/rc.local

(2) the new proxy uses anchors to allow data connections

/etc/pf.conf must be adapted.  In the NAT section you need:

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

They are mandatory, even if you otherwise don't use NAT.

A rule like this is probably already there for the old proxy:

rdr pass on $int_if proto tcp from $lan to any port 21 -> \ port 8021

In the rule section this is needed:

anchor "ftp-proxy/*"

And something like this is probably already there for the old proxy:

pass out proto tcp from $proxy to any port 21 keep state

That's it.  All other rules that allow the proxy to make outbound
(data) connections are no longer needed.  Those rules usually have
"user proxy" or "to port > 49151" in them.

Care has been taken to keep the commandline switches alike, but some
may differ.  See the manpage.

One case warrants special mention: if you have old clients that rely on
active mode data connections to have sourceport 20, you need the
'-r' switch.  (for this you had to run the old proxy with "-u root").

Other differences should be fairly obvious and/or easy to troubleshoot.
Run ftp-proxy with "-d -D7" if you run into trouble and want to diagnose
what's happening.