ftp6proxy is an ftp proxy for IPv6 gateways and firewalls. It is meant for FreeBSD, but may run on any other (BSD)
operating system that supports divert sockets, kqueue, pf, ipfw, and of course
IPv6. It may be of use for IPv4, too, unless you need NAT. In contrast to ftp-proxy and the libalias family (natd, ppp),
ftp6proxy does not support NAT as we do not need NAT with IPv6, do we?
Instead, ftp6proxy intercepts the ftp command channel via a divert socket, and
then, if the client wants to initiate a transfer, opens the firewall for two
seconds. If the data channel has been established within these 2 seconds, it
will have created a dynamic firewall rule in order to let through subsequent
Both ftp-proxy and libalias/natd rewrite each ftp connection in order to make it look like as if it originates on the gateway machine (read: they do NAT). This is great if you're dealing with private (IPv4) addresses. With public addresses or IPv6, NAT becomes less desirable. Furthermore, libalias does not support IPv6 yet.
$ make $ make install
$ /usr/local/etc/rc.d/ftp6proxy start
anchor "ftp6proxy/*" pass out quick inet6 proto tcp from port >= 1024 to port ftpCreate /etc/ipfw.rules:
add divert 10004 ip6 from any to not me proto tcp src-port 1024-65535 dst-port 21 add divert 10004 ip6 from not me to any proto tcp src-port 21 dst-port 1024-65535 add allow ip from any to anyThen activate ipfw in /etc/rc.conf:
firewall_enable="YES" firewall_type="/etc/ipfw.rules" natd_enable="YES"Please note that the natd_enable is only needed to load the ipdivert kernel module.
pf has issues diverting IPv6 traffic - at least on FreeBSD 9.2 and 10.0, see my
message on the freebsd-pf mailing list.
ipfw deletes a dynamic firewall rule (i.e. one that is automatically created when a keep-state rule matched) as soon as you delete the correspondig static rule.
ftp6proxy V0.1 - IPv6 FTP firewall helper usage: ftp6proxy [-b <base>] [-c <count>] [-p <port>] [-t <timeout>] [-q <queue>] [-d [-d]] [-i <pidfile>] [-u <user>] ftp6proxy -h -b <base> punch holes into firewall starting at this rule number; default: 65000 -c <count> use up to <count> firewall rules; default: 100 -p <port> divert port number to listen on; defaults to 10004 -t <timeout> wait up to <timeout> seconds for data connections; defaults to 2 seconds -q <queue> place data connections into this QoS class -d run in foreground, don't write pidfile -d -d run in foreground, don't write pidfile, debug log to stderr, don't drop privileges -i <pidfile> write pid to <pidfile> instead of /var/run/ftp6proxy.pid -u <user> run as user <user> instead of uid 65535 and gid 65535 -h show this help ;-)
Before I started ftp6proxy, I wrote a prototype in Perl. I uploaded it for educational reference. It's called alg.pl.