Frox—ftp代理伺服器

On 2011年03月15日, in soft, by netoearth

Frox is a transparent FTP proxy that runs under Linux and *BSD. It should also work on other UNIX OSes that use ipfilter.

Frox Features:
* active – passive mode conversion for data connections.
* It supports caching of FTP downloads, either through a local cache, or by redirecting connections through another proxy such as squid.
* Downloads may be transparently scanned for viruses (through an external scanner).
* Optional non-transparent proxy support by logging in with user@host:port.
* Options to bind to a specific interface, chroot, and drop priveleges for security.
* Written with security in mind, default setup runs as a non-root user in a chroot jail.

This means that any clients you have that are behind the proxy will believe that they are connecting to an ftp server as normal, but will actually be connecting to frox. Frox will do the onward connection to the remote server.

 

It can also be set up to do non-transparent proxying. In this case the ftp client can connect directly to frox, but instead of logging in with “username” should log in with “username@ftp.wherever.org”.

 

On either of these sorts of connections it can do caching of files you download, or converting of data connections from active – passive which can make firewalling rules a lot easier/safer. Frox can also encrypt connections that it makes to ftp servers which support it.

Frox Installation and Configuration:
Ubuntu user can install frox using following command (from terminal):

sudo apt-get install frox

After successful installation, you need to configure frox configuration file (/etc/frox.conf) using any editor and adjust the following parameters

Change “Listen” to the IP you want to listen on.
Change “WorkingDir”.
Set “User” and “Group” to the User/Group you want frox to run as.
Set “DoNTP” to “Yes” if you want this.
Set “ResolvLoadHack” to a hostname that does not exist! (See FAQ sect 3)
Set other options as documented in the config file.

NOTE:
Frox does not implement ftp proxy over HTTP. This means if you configure a web browser (eg. Netscape/Mozilla/IE) to use frox as their ftp proxy it won’t work. If you leave them with ftp-proxy unconfigured then they should be transparently proxied like anything else.

 

frox是一個通透性ftp的代理伺服器,在由於ftp有兩種模式(主動式、被動式),由於被動式是使用nat的方式無法轉送,本伺服器可以讓 client端以為它直接和ftp伺服器溝通,如果你直接使用過ftp的命令,你感覺不到它是透過ftp proxy ,它亦提供非通透性的ftp代理(使用者無法直接和froxy伺服器溝通),由於是代理伺服器,因此它也提供cache(曾經下載過的檔案會保留下來如果 有人下載同一個檔案會加快下載),它不支援ftp over http的代理,它意味著瀏器(Netscape/Mozilla/IE)如果設定frox當做ftp proxy 是無法工作的.它支援下載後掃毒的功能


我用來做什麼
1.在被動式的FTP,一般的防火牆內的電腦無法連線(iptables 也可以設定)
2.下載後來掃毒


編譯及安裝
最簡單
./configure
make
make install

其它重要的選項

--enable-http-cache--enable-local-cache 編譯時支援caching(其它的代理伺服器).
--enable-virus-scan 支援下載後掃毒.
--enable-configfile=... 設定環境檔所在的路徑如:/etc/frox.conf.如果沒有設定 使用預設路徑 /usr/local/etc/frox.conf
--enable-transparent-data 編譯時支援通透性資料連線

redhat 的編譯
./configure –enable-http-cache –enable-local-cache –enable-virus-scan –enable-configfile=/etc/frox.conf
make
make install


設定frox.conf
frox預設的連接埠3121,
在防火牆上,我們加入新的規則,攔截所有要外連的21的連線,到本地連接埠
iptables -t nat -A PREROUTING -p tcp -s $LOCALNET --dport 21 -j REDIRECT --to 3121

以下是簡單的設定檔內容(原來我要解釋所有的參數,後來放棄並刪除該部份,因此讓部份請自行參考原frox.conf,或使用webmin的模組來設定, 雖然其部份說明有誤)

# 在編輯完畢之後必須傳送SIGHUP給frox,它會重讀設定檔
####################################################################
# Network Options 網路功能                                         #
####################################################################
#ip如果設為127.0.0.1有時後無法工作,因為上述iptables轉向的功能會轉向真正的
#ip(public或privacy) ,你要測試一下你的系統接不接受localhost
Listen 192.168.0.253
Port 3121

####################################################################
# General Options  一般項目                                        #
####################################################################
User nobody     #使用者或群組不存在時可以自己建立
Group nogroup

WorkingDir /var/lib/frox  #這是我自己設的,目錄請自己建立,安裝程式不會幫你建
DontChroot Yes

LogLevel 10
LogFile /var/log/frox.log

PidFile /var/run/frox.pid

####################################################################
# Ftp Protocol Options   協定功能                                  #
####################################################################
BounceDefend yes

####################################################################
# Caching Options    快取功能                                      #
####################################################################
#我的設定frox->squid->網際網路
#frox和squid是同一個機器上
CacheModule http
HTTPProxy 127.0.0.1:3128

#我使用的防毒程式是clamav
VirusScanner '"/usr/bin/clamscan" "-r" "%s"'

####################################################################
# Access control       存取控制                                    #
####################################################################

MaxForks 10

# 存取控制表
# 格式: "ACL Allow|Deny SRC - DST [PORTS]"

# SRC(來源)和 DST(目的) 可以是如右的格式x.x.x.x, x.x.x.x/yy,x.x.x.x/y.y.y.y,

ACL Allow 192.168.0.0/24 -  *

 


問題:
1.延遲問題:任何的ftp如果透過frox下載檔案當有設定包含了防毒程式掃描時,frox會將所有程式下載完畢在並掃毒完畢後,才回應給你的ftp client,因此資料連線時如果檔案過大可能會等很久,如果使用一些續傳的軟體,如flashget,在逾時一段時間會重新連線,因此進入一個循環,永 遠下載不完,因資料連線時間限制在數分鐘內,因此無法使用flashget去下載大型檔案,可以使用儲存檔案的方式來存檔,但少了續傳,及多重下載的功能
2.IE代理伺服器的問題:在設定好了代理伺服器時,ftp如果也走代理伺服器,則並不會透過ftp的port出去,而你也無法直接將ftp的代理伺服器 指向frox,因為frox不支援


測試:


webmin的管理界面
webmin很幸運有人寫了frox的模組,管理起來還算容易,你可以自己嘗試一下

Tagged with:  

Comments are closed.