ftp6proxy

Intro

ftp6proxy is an ftp proxy for IPv6 gateways and firewalls. It is meant for FreeBSD, but may run on any other (BSD) operating system that supports divert sockets, kqueue, pf, ipfw, and of course IPv6. It may be of use for IPv4, too, unless you need NAT. In contrast to ftp-proxy and the libalias family (natd, ppp), ftp6proxy does not support NAT as we do not need NAT with IPv6, do we? Instead, ftp6proxy intercepts the ftp command channel via a divert socket, and then, if the client wants to initiate a transfer, opens the firewall for two seconds. If the data channel has been established within these 2 seconds, it will have created a dynamic firewall rule in order to let through subsequent packets.
Both ftp-proxy and libalias/natd rewrite each ftp connection in order to make it look like as if it originates on the gateway machine (read: they do NAT). This is great if you're dealing with private (IPv4) addresses. With public addresses or IPv6, NAT becomes less desirable. Furthermore, libalias does not support IPv6 yet.

Installation

Why do I have to use pf and ipfw?

pf has issues diverting IPv6 traffic - at least on FreeBSD 9.2 and 10.0, see my message on the freebsd-pf mailing list.
ipfw deletes a dynamic firewall rule (i.e. one that is automatically created when a keep-state rule matched) as soon as you delete the correspondig static rule.

Help

ftp6proxy V0.1 - IPv6 FTP firewall helper

usage: ftp6proxy [-b <base>] [-c <count>] [-p <port>] [-t <timeout>]
                 [-q <queue>] [-d [-d]] [-i <pidfile>] [-u <user>]
       ftp6proxy -h

  -b <base>      punch holes into firewall starting at this rule number;
                 default: 65000
  -c <count>     use up to <count> firewall rules; default: 100
  -p <port>      divert port number to listen on; defaults to 10004
  -t <timeout>   wait up to <timeout> seconds for data connections;
                 defaults to 2 seconds
  -q <queue>     place data connections into this QoS class
  -d             run in foreground, don't write pidfile
  -d -d          run in foreground, don't write pidfile, debug log to stderr,
                 don't drop privileges
  -i <pidfile>   write pid to <pidfile> instead of /var/run/ftp6proxy.pid
  -u <user>      run as user <user> instead of uid 65535 and gid 65535
  -h             show this help ;-)

Files

Prototype

Before I started ftp6proxy, I wrote a prototype in Perl. I uploaded it for educational reference. It's called alg.pl.