Welcome to the "Where to use page" :-) of
jftpgw FTP proxy 0.13.5
Last update: Sat Jun 5 21:55:29 CEST 2004
Navigation
Joachim Wieland
About this page
This page is an overview of different problems that can be solved by using jftpgw. I'll try to cover most of the standard situations where you can use jftpgw and give hints on the most important configuration options you may want to use for the specific task.
Table of contents
A simple proxy - manual login
This configuration is a very simple one. The principle is the following: You want to retrieve data through FTP but you cannot or you don't want to do it from your computer, you would like to use a proxy.

There are several reasons why you may want to use a proxy:

  • You don't have a valid IP address and there is no valid routing setup yet. This may be when you're installing a new linux distribution over the network for example. Most of them use the login scheme of jftpgw
  • Your computer is protected by a firewall and cannot do FTP transfers
  • You have a fast connection to the proxy and it has a fast connection to your target FTP server, whereas the connection (i.e. the normal routing) between you and your target FTP server is slow

You compile and run jftpgw on the proxy machine, you may want to allow access only from your IP.

	<from your.computer.ip>
		access allow
	</from>
If the proxy machine has two or more interfaces and the interface to your client computer and the interface to the internet are different ones you can also consider to only let jftpgw listen on the interface that connects to you. This is the case if the proxy machine also acts as a router for you or should become one in the future.

You then FTP to your proxy machine on the port jftpgw listens to. See the chapter on How to use jftpgw to get an impression of the login strings that are possible. For example you can issue

joe@mcknight [ ~ ]$ ftp -n 192.168.181.234 2370
Connected to 192.168.181.234.
220 Joe FTP Proxy Server/Gateway (v0.0.11) ready
ftp> user anonymous@sunsite.unc.edu
331 Password required for anonymous.
Password:
230-divahouse.metalab.unc.edu FTP server (Version wu-2.6.1(1) Tue Mar 27
10:12:50 EST 2001) ready.
230-
230-             Welcome to ibiblio.org's FTP archives!
230-                   formerly known as MetaLab.unc.edu
230-
[...]
230-Please read the file README
230-  it was last modified on Fri Nov 10 11:26:06 2000 - 161 days ago
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 66640
-r--r--r--    1 root     other    68117140 Apr 21 06:09 IAFA-LISTINGS
-rw-r--r--    1 root     other         973 Nov 10 16:26 README
dr-xr-xr-x    2 root     other        4096 Mar 27 19:17 bin
-rw-r--r--    1 ftp      other           0 Mar 30 17:19 core
[...]
dr-xr-xr-x    5 root     other        4096 Jul 16  1997 usr
226 Transfer complete.
ftp>
A simple proxy - for a private network
This is almost the same as the previous one, see that you are allowing your private network and think about the IPs (interfaces) jftpgw should listen to (see previous chapter).

You may also read the chapter on the Transparent proxy to see if this would be a nice feature for you.

If this is not possible, the users in your private network will have to use FTP clients that can handle FTP proxies. Please not that the typical browser does not support an FTP proxy. They expect proxies that talk FTP to the FTP server but HTTP to the client program, i.e. to the browser.

A simple proxy - for caching
If you're using jftpgw for a network and the client computers often fetch the same data over FTP, caching would be suitable for you. In the caching mode, jftpgw checks for the size and the file creation date in order to see if the file in the cache directory differs from the one on the remote FTP server. If this is not the case, the file can be read directly from the hard disk which normally gives you an important speedup.

First think of a directory where your cache should reside. Furthermore the proxy server has to have write access to this directory. This note may sound trivial now but it may easily happen that you configure jftpgw to change the user id or the root directory. Both options are possible - you just have to ensure that the cache directory lives inside the root directory and that it is writable by the user jftpgw runs as.

<global>
	runasuser	jftpgw
	cacheprefix	/var/chroot/jftpgw/cache
	cache		off
	[...]
</global>
Now switch on caching for all connections from your internal network to the outside, except for connections to ftp.nocache.com.
<from 192.168.0.0/16>
	<to 0/0 exclude ftp.nocache.com 192.168.0.0/16>
		cache		on
	</to>
</from>
The permissions of your cache directory may look like this:
drwx------    2 jftpgw   root         4096 Jan  2 22:04 /var/chroot/jftpgw/cache/
Maybe you want to specify limitations for the files that should be placed in the cache.
<global>
	[...]
	cacheminsize		60K
	cachemaxsize		200M
	[...]
</global>
Transparent proxy
(This mode is explained in detail on the page on the transparent proxy mode) The transparent proxy mode does the following:

You do not setup anything on your client, they just do their job in a normal fashion, instead you configure the router between you and the internet to catch all FTP requests to the outside and pass it to jftpgw running on the router machine. Then in fact the proxy handles the connection.

Requirements: Roughly speaking you need at least a computer between you and the internet, a router, but see the page on the transparent proxy mode for more details

Configure jftpgw to listen on the internal interface and use the same port number for the firewall redirect.

If you want jftpgw to catch the FTP request, determine the source, destination and the user and then pass it to another FTP proxy, use transparent-forward (You probably don't want to do this if you don't know what it is for).

FTP server in a private network
Sometimes you want to provide an FTP service that should be available from the internet but you also want to secure your network with a firewall. The firewall may only be a small dedicated machine and you don't want to introduce a complicated setup with a DMZ and so on. You may run jftpgw on the firewall and let it pass the FTP connection requests from the outside to the server and the responses/the data from this one back to the client.

To accomplish this, you may want to use the forward option. You could say:

     <global>
          [...]
          forward	*@192.168.34.23
          [...]
     </global>
     

Read about the logintime option. Setting it to connect you can already send the welcome line of your FTP server to the client.

FTP server reacting differently to the inside and to the outside
This is an enhancement to the setting above. Imagine you have an internal FTP server as in the previous example but you also want your client to talk to FTP servers on the outside via the proxy.

There is the proxyip option to do this. Let's assume your proxy has 192.168.1.1 as the internal IP and 123.123.123.123 as the external one. To use different settings, say:

     <proxyip 192.168.1.1>
          [...]
          [... settings for outbound clients here ...]
          [...]
     </proxyip>
     <proxyip 123.123.123.123>
          [...]
          forward	*@192.168.34.23
          [...]
     </proxyip>
     
<< Previous: Features Next: How To Use >>

Webpages created by Joachim Wieland © 2000-2004
Layout by Thomas Schultz © 2000