xref: /illumos-gate/usr/src/cmd/ipf/examples/ftp-proxy (revision 7c478bd9)
1*7c478bd9Sstevel@tonic-gateHow to setup FTP proxying using the built in proxy code.
2*7c478bd9Sstevel@tonic-gate========================================================
3*7c478bd9Sstevel@tonic-gate
4*7c478bd9Sstevel@tonic-gateNOTE: Currently, the built-in FTP proxy is only available for use with NAT
5*7c478bd9Sstevel@tonic-gate      (i.e. only if you're already using "map" rules with ipnat).  It does
6*7c478bd9Sstevel@tonic-gate      support null-NAT mappings, that is, using the proxy without changing
7*7c478bd9Sstevel@tonic-gate      the addresses.
8*7c478bd9Sstevel@tonic-gate
9*7c478bd9Sstevel@tonic-gateLets assume your network diagram looks something like this:
10*7c478bd9Sstevel@tonic-gate
11*7c478bd9Sstevel@tonic-gate
12*7c478bd9Sstevel@tonic-gate[host A]
13*7c478bd9Sstevel@tonic-gate   |a
14*7c478bd9Sstevel@tonic-gate---+-------------+----------
15*7c478bd9Sstevel@tonic-gate                 |b
16*7c478bd9Sstevel@tonic-gate             [host B]
17*7c478bd9Sstevel@tonic-gate                 |c
18*7c478bd9Sstevel@tonic-gate---+-------------+----------
19*7c478bd9Sstevel@tonic-gate   |d
20*7c478bd9Sstevel@tonic-gate[host C]
21*7c478bd9Sstevel@tonic-gate
22*7c478bd9Sstevel@tonic-gateand IP Filter is running on host B.  If you want to proxy FTP from A to C
23*7c478bd9Sstevel@tonic-gatethen you would do:
24*7c478bd9Sstevel@tonic-gate
25*7c478bd9Sstevel@tonic-gatemap int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp
26*7c478bd9Sstevel@tonic-gate
27*7c478bd9Sstevel@tonic-gateint-c = name of "interface c"
28*7c478bd9Sstevel@tonic-gateipaddr-a = ip# of interface a
29*7c478bd9Sstevel@tonic-gateipaddr-c-net = another ip# on the C-network (usually not the same as the
30*7c478bd9Sstevel@tonic-gateinterface).
31*7c478bd9Sstevel@tonic-gate
32*7c478bd9Sstevel@tonic-gatee.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
33*7c478bd9Sstevel@tonic-gatewhich had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
34*7c478bd9Sstevel@tonic-gate203.45.67.90, you would do:
35*7c478bd9Sstevel@tonic-gate
36*7c478bd9Sstevel@tonic-gatemap vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp
37*7c478bd9Sstevel@tonic-gate
38*7c478bd9Sstevel@tonic-gatewhere:
39*7c478bd9Sstevel@tonic-gateipaddr-a = 10.1.1.1
40*7c478bd9Sstevel@tonic-gateint-c = vx0
41*7c478bd9Sstevel@tonic-gateipaddr-c-net = 203.45.67.91
42*7c478bd9Sstevel@tonic-gate
43*7c478bd9Sstevel@tonic-gateThe "map" rule for this proxy should precede any other NAT rules you are
44*7c478bd9Sstevel@tonic-gateusing.
45*7c478bd9Sstevel@tonic-gate
46