| About this page |
|
This page is an overview of different problems that can be solved by
using jftpgw. I'll try to cover most of the standard situations where
you can use jftpgw and give hints on the most important configuration
options you may want to use for the specific task.
|
|
|
| A simple proxy - manual login |
|
This configuration is a very simple one. The principle is the
following: You want to retrieve data through FTP but you cannot or you
don't want to do it from your computer, you would like to use a proxy.
There are several reasons why you may want to use a proxy:
- You don't have a valid IP address and there is no valid routing
setup yet. This may be when you're installing a new linux
distribution over the network for example. Most of them use the
login scheme of jftpgw
- Your computer is protected by a firewall and cannot do FTP
transfers
- You have a fast connection to the proxy and it has a fast
connection to your target FTP server, whereas the connection
(i.e. the normal routing) between you and your target FTP server
is slow
You compile and run jftpgw on the proxy machine, you may want to allow
access only from your IP.
<from your.computer.ip>
access allow
</from>
If the
proxy machine has two or more interfaces and the interface to your
client computer and the interface to the internet are different ones
you can also consider to only let jftpgw listen on
the interface that connects to you. This is the case if the proxy
machine also acts as a router for you or should become one in the
future.
You then FTP to your proxy machine on the port jftpgw listens to. See the
chapter on How to use jftpgw to get an
impression of the login strings that are possible. For example you can
issue
joe@mcknight [ ~ ]$ ftp -n 192.168.181.234 2370
Connected to 192.168.181.234.
220 Joe FTP Proxy Server/Gateway (v0.0.11) ready
ftp> user anonymous@sunsite.unc.edu
331 Password required for anonymous.
Password:
230-divahouse.metalab.unc.edu FTP server (Version wu-2.6.1(1) Tue Mar 27
10:12:50 EST 2001) ready.
230-
230- Welcome to ibiblio.org's FTP archives!
230- formerly known as MetaLab.unc.edu
230-
[...]
230-Please read the file README
230- it was last modified on Fri Nov 10 11:26:06 2000 - 161 days ago
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 66640
-r--r--r-- 1 root other 68117140 Apr 21 06:09 IAFA-LISTINGS
-rw-r--r-- 1 root other 973 Nov 10 16:26 README
dr-xr-xr-x 2 root other 4096 Mar 27 19:17 bin
-rw-r--r-- 1 ftp other 0 Mar 30 17:19 core
[...]
dr-xr-xr-x 5 root other 4096 Jul 16 1997 usr
226 Transfer complete.
ftp>
|
|
| A simple proxy - for a private network |
|
This is almost the same as the previous one, see that you are allowing
your private network and think about the IPs (interfaces) jftpgw
should listen to (see previous
chapter).
You may also read the chapter on the Transparent
proxy to see if this would be a nice feature for you.
If this is not possible, the users in your private network will have
to use FTP clients that can handle FTP proxies. Please not that the
typical browser does not support an FTP proxy. They expect proxies
that talk FTP to the FTP server but HTTP to the client program, i.e.
to the browser.
|
|
| A simple proxy - for caching |
|
If you're using jftpgw for a network and the client computers often
fetch the same data over FTP, caching would be suitable for you. In
the caching mode, jftpgw checks for the size and the file creation
date in order to see if the file in the cache directory differs from
the one on the remote FTP server. If this is not the case, the file
can be read directly from the hard disk which normally gives you an
important speedup.
First think of a directory where your cache should reside. Furthermore
the proxy server has to have write access to this directory. This note
may sound trivial now but it may easily happen that you configure
jftpgw to change the user id or the root directory. Both options are
possible - you just have to ensure that the cache directory lives
inside the root directory and that it is writable by the user jftpgw
runs as.
<global>
runasuser jftpgw
cacheprefix /var/chroot/jftpgw/cache
cache off
[...]
</global>
Now switch on caching for all connections from your internal network to the
outside, except for connections to ftp.nocache.com.
<from 192.168.0.0/16>
<to 0/0 exclude ftp.nocache.com 192.168.0.0/16>
cache on
</to>
</from>
The permissions of your cache directory may look like this:
drwx------ 2 jftpgw root 4096 Jan 2 22:04 /var/chroot/jftpgw/cache/
Maybe you want to specify limitations for the files that should be placed in
the cache.
<global>
[...]
cacheminsize 60K
cachemaxsize 200M
[...]
</global>
|
|
| Transparent proxy |
|
(This mode is explained in detail on the
page on the transparent proxy mode)
The transparent proxy mode does the following:
You do not setup anything on your client, they just do their job in a
normal fashion, instead you configure the router between you and the
internet to catch all FTP requests to the outside and pass it to
jftpgw running on the router machine. Then in fact the proxy handles
the connection.
Requirements: Roughly speaking you need at least a computer between you
and the internet, a router, but see the page
on the transparent proxy mode for more details
Configure jftpgw to listen on the internal interface
and use the same port number for the firewall redirect.
If you want jftpgw to catch the FTP request,
determine the source, destination and the user and then pass it to
another FTP proxy, use transparent-forward (You
probably don't want to do this if you don't know what it is for).
|
|
| FTP server in a private network |
|
Sometimes you want to provide an FTP service that should be available
from the internet but you also want to secure your network with a
firewall. The firewall may only be a small dedicated machine and you
don't want to introduce a complicated setup with a DMZ and so on. You
may run jftpgw on the firewall and let it pass the FTP connection
requests from the outside to the server and the responses/the data
from this one back to the client.
To accomplish this, you may want to use the forward
option. You could say:
<global>
[...]
forward *@192.168.34.23
[...]
</global>
Read about the logintime option. Setting it to
connect you can already send the welcome line of your FTP server
to the client.
|
|
| FTP server reacting differently to the inside and to the
outside |
|
This is an enhancement to the setting above. Imagine you have an
internal FTP server as in the previous example but you also want your
client to talk to FTP servers on the outside via the proxy.
There is the proxyip option to do this. Let's assume
your proxy has 192.168.1.1 as the internal IP and 123.123.123.123 as
the external one. To use different settings, say:
<proxyip 192.168.1.1>
[...]
[... settings for outbound clients here ...]
[...]
</proxyip>
<proxyip 123.123.123.123>
[...]
forward *@192.168.34.23
[...]
</proxyip>
|
|
|
|