HTTP の透過プロキシは Squid + パケットフィルタ で可能ですが,Squid では FTP の透過プロキシは出ません. また,Squid はクライアントとサーバ間では HTTP プロトコルで話すので FTP クライアントの FTP プロキシとしては利用できません. そこで frox の登場です.2003/06/14 現在,バージョンは 0.78 です. 入手先は http://frox.sourceforge.net/ か http://www.hollo.org/frox/ です.
tar ボールを入手して展開し,コンフィグスクリプトを走らせます.
# wget http://frox.sourceforge.net/download/frox-0.7.8.tar.bz2 # tar xvjf frox-0.7.8.tar.bz2 # cd frox-0.7.8
コンフィグオプションは http://frox.sourceforge.net/doc/FAQ-2.html をよく読みます.
# mkdir /usr/local/frox # ./configure --prefix=/usr/local/frox \ --enable-local-chache \ --enable-http-cache \ # make # make instal
まず適当に frox を走らせるユーザを追加します.
# useradd -g users frox # vi /etc/passwd (frox のログインシェルを /bin/false に変更する)
次に frox.conf で frox の設定をします.
# vi /usr/local/frox/etc/frox.conf # Configuration file for frox transparent ftp-proxy. # Send SIGHUP after editing and it will be reread. This will fail # completely if we are chrooted and the config file isn't within the # dir we have chrooted to, or if we have dropped priveleges and no # longer have permission to read the config file! Some options cannot # be reread - namely those which require special privelidges (ie. # BindToDevice, Listen, Port, TransparentData) and the caching stuff. #################################################################### # Network Options # #################################################################### # Address to listen on - default is 0.0.0.0 If you are using an OS other # than Linux and are doing transparent proxying then you will need to set # this to the IP of a local interface. If using linux you could leave it # commented out to listen on all local IPs. # # Listen firewall.localnet #Listen 192.168.2.1 # サーバの LAN 側の IP を設定する Listen 192.168.1.1 # Port to listen on. Must be supplied. # 使用ポートを設定する Port 2121 # If specified then bind to this device # サーバの LAN 側のデバイスを設定する #BindToDevice eth0 BindToDevice eth0 # Whether to run from inetd. You should still define Port above, but # it isn't used for much. # inetd から走らせるか否か # FromInetd yes # Stop frox from putting itself into the background. Use this if you want # to run frox from supervise from djb's daemontools # バックグラウンドで走らせないかどうか.これは,djb's daemontools から # frox を走らせるときに使う. # NoDetach # A hack that should allow you to get away without putting resolver libraries # into the chroot jail. The default is fine unless for some reason you have # this hostname in /etc/hosts. If this sort of thing offends you, you may # comment this out and copy resolver libraries into the chroot jail instead. # See FAQ section 3.2 for details. # 詳しくは,http://frox.sourceforge.net/doc/FAQ-3.html#ss3.2 を見るべき #ResolvLoadHack wontresolve.doesntexist.abc # Another ftp proxy to forward on to. Frox will contact this ftp # proxy, and send it a login name of the form "user@host:port" where # host and port are the server frox should contact. # frox がフォワードする FTP プロキシを指定する # FTPProxy 192.168.2.9:2222 # Pick the IP frox should use for outgoing connections. You probably don't # need this, and it is not well tested. # frox が外の通信のために使う IP を取るかどうか # TcpOutgoingAddr #################################################################### # General Options # #################################################################### # User and group to drop priveliges to. This must be specified - if # you really want to run as root (not a good idea) you must say so # specifically, and have compiled with --enable-run-as-root. # ユーザとグループの設定 # User nobody # Group nogroup User frox Group nobody # This is frox's working directory - it must be specified. Temporary # files and sockets will be created here. If you are using local # caching then the cache will be stored in this directory too. It # should be owned by frox with permissions 700. By default frox will # also chroot to this dir on startup. To avoid this you must specifically # set DontChroot to Yes. # キャッシュをためるディレクトリと Chroot するか否か # WorkingDir /usr/local/lib/frox # DontChroot Yes WorkingDir /home/frox DontChroot Yes # Logging level. 0=No logging. 5=Critical errors only. 10= All errors. # 15=Errors, other important stuf. 20= Errors, connections, cache # hits/misses 25=Debug info including text of control session. # By default frox will log through syslog as facility daemon. If you # want frox to log to a file instead specify this in LogFile below. You # may set LogFile to "stderr" if you wish it to log there. # ログの保存先とログレベルの設定 # あらかじめディレクトリを作ってあげないといけません LogLevel 15 LogFile /usr/local/lib/frox/frox_log # File to store PID in. Default is not to. If this file is not within # the Chroot directory then it cannot be deleted on exit, but will # otherwise work fine. # プロセス ID の保存先の設定 PidFile /usr/local/frox/run/frox.pid #################################################################### # Ftp Protocol Options # #################################################################### # Active --> Passive conversion. If set then all outgoing connections # from the proxy will be passive FTP, regardless of the type of the # connection coming in. This makes firewalling a lot easier. Defaults # to no. # FTP を アクティブからパッシブに変換するかどうか # 下にある PAConv とは同時使用してはならない # APConv yes # Passive --> Active conversion. If set then all outgoing connections # from the proxy will be active FTP, regardless of the type of the # connection coming in. Defaults to no. # DO NOT USE WITH APConv! # FTP を パッシブからアクティブに変換するかどうか # 上にある APConv とは同時使用してはならない # PAConv yes # Block PORT commands asking data to be sent to ports<1024 and # prevent incoming control stream connections from port 20 to # help depend against ftp bounce attacks. Defaults to on. # 1024 より小さいポートへの PORT コマンドをブロックするかどうか BounceDefend yes # If true then only accept data connections from the hosts the control # connections are to. Breaks the rfc, and defaults to off. # コントロールコネクションがあるホストからの接続のみを許可するか否か # RFC 違反となる # SameAddress yes # Normally frox strips out nonprintable characters from the control # stream. This makes buffer overflow attacks on clients/servers much more # difficult. If you download files that contain non english characters # this may cause you problems (especially for big charsets like Chines). # In that case turn on this option. # frox が普通のアスキーコードを出力させるかどうか # 通常は nonprintable characters で出力する # AllowNonASCII yes # Try to transparently proxy the data connections as well. Not # necessary for most clients, and does increase security risks. N.V. # You probably do _NOT_ need this option. It increases the complexity # of what frox has to do, increases the difficulty of setting frox up # correctly, and increases potential security risks. This has nothing # to do with whether your clients will be transparently proxied. If # you still want to use this option then read README.transdata for # details. # 接続と同様にデータも透過的にプロ記するかどうか # クライアント・サーバとともにセキュリティーホールになりやすいので普通は使わない # TransparentData yes # Specify ranges for local ports to use for outgoing connections and # for sending out in PORT commands. By default these are all between # 40000 and 50000, but you might want to split them up if you have # complicated firewalling rules. # ポートの範囲を設定する # ControlPorts 40000-40999 # PassivePorts 41000-41999 # ActivePorts 42000-42999 #################################################################### # Caching Options # #################################################################### # Caching options. There should be at most one CacheModule line, and # Cache lines to give the options for that caching module. CacheModule # is HTTP (rewrites ftp requests as HTTP and sends them to a HTTP # proxy like squid), or local (cache files locally). The relevant # module needs to have been compiled in at compile time. See FAQ for # details. If there are no CacheModule lines then no caching will be # done. # # CacheModule local # CacheSize 400 # # CacheModule http # HTTPProxy 127.0.0.1:3128 # MinCacheSize 65536 # # StrictCaching no # Read FAQ for details. # CacheOnFQDN yes # Read FAQ for details. # キャッシュの方法をどちらか一方に指定する # キャッシュサイズも指定する CacheModule local CacheSize 1000 CacheOnFQDN no # Virus scanning -- see FAQ # # VirusScanner ’"/usr/bin/viruscan" "--option" "%s"’ # VSOK 0 # VSProgressMsgs 30 #################################################################### # Access control # #################################################################### # Allow non-transparent proxying support. The user can connect # directly to frox, and give his username as user@host:port or # user@host. Defaults to no. NTPAddress gives the address to which # incoming connections must be addressed if the client is to be offered # non-transparent proxying. Defaults to allowing all connections. # 非透過プロキシをサポートするかどうか # DoNTP yes # NTPAddress 192.168.2.1:2121 # Number of seconds of no activity before closing session # Defaults to 300 # 最後に反応してからセッションを切る時間 # Timeout 300 #Maximum number of processes to fork. # プロセスを fork させる最大数 # MaxForks 0 # For debugging -- only one connection may be served. MaxForks 10 # Maximum number of connections from a single host (IP address). # ひとつのホストへの最大接続数 MaxForksPerHost 4 # Maximum number of bytes/second to be transferred down the data # connection for each client. Currently this limits the transfer rate # for cached as well as uncached files which probably isn't very # logical. # 最大速度の制限 # MaxTransferRate 4096 # Access control lists: # The format is: "ACL Allow|Deny SRC - DST [PORTS]" # SRC and DST may be in the form x.x.x.x, x.x.x.x/yy, x.x.x.x/y.y.y.y, # a dns name, or * to match everything. # # PORTS is a list of ports. If specified then the rule will only match # if the destination port of the connection is in this list. This is # likely only relevant if you are allowing non-transparent proxying of # ftp connections (ie. DoNTP is enabled above). Specifying * is equivalent # to not specifying anything - all ports will be matched # # Any connection that matches no rules will be denied. Since there are # no rules by default you'll need to add something to let any # connections happen at all (look at the last example if you are # feeling lazy/not bothered by security). # # # Examples: # # Allow local network to ftp to port 21 only, and block host ftp.evil # ACL Deny * - ftp.evil # ACL Allow 192.168.0.0/255.255.0.0 - * 21 # # # Allow local network to ftp anywhere except certain dodgy ports. Network # # admin's machine can ftp anywhere. # ACL Allow admin.localnet - * # ACL Deny * - * 1-20,22-1024,6000-6007,7100 # ACL Allow 192.168.0.0/16 - * * # # # You don't really believe in this security stuff, and just want # # everything to work. #ACL Allow * - * # アクセスコントロールをするマッチしない接続はすべて拒否されるので # 許可するホストのみを指定する # 書式は "ACL Allow|Deny [接続元] - [接続先] [ポート]" ACL Allow 192.168.1.0/24 - * * # Command control program: A bit like the idea of a squid redirector. # By default the old interface is used so as not to break existing # installations. The new interface is much more powerful, and is # reccommended for new scripts -- set UseOldCCP to false to use it. # See the FAQ for details. # squid redirector の様な CCP を使うかどうか # CCProgram /usr/local/lib/frox/bin/ccp # UseOldCCP no #################################################################### # Subsections # #################################################################### # Matching rules the same as ACLS. Only some options can be specified # in a subsection (currently the yes/no options, timeout, and HTTP # caching options). # その他の設定 # SubSection * - ftp.dodgy.server # StrictCaching yes # EndSection # # SubSection * - 10.0.0.0/24 # A low latency high bandwidth connection # MinCacheSize 4096 # EndSection
ポート 21 への要求を横取りして frox に渡すようにします.
# iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/24 --dport 21 -j REDIRECT --to 2121
手製スクリプト.
frox-init
chkcondig で起動時に自動で起動するようにしておきます.
# cp frox-init /etc/init.d/frox # chmod 755 /etc/init.d/frox # chkconfig --add frox # chkconfig --level 2345 frox on
frox のログを大きくなりすぎないように logrotated にログの管理を任します.詳しい使い方は説明しませんが, こんなファイルを /etc/logrotate.d/ に置いておくと,Vine Linux の場合,毎週日曜日午前4時にログを分割して新しいものにしてくれます.