- 论坛徽章:
- 0
|
源代码中 src/frox.conf
- # Configuration file for frox transparent ftp-proxy.
- # Send SIGHUP after editing and it will be reread. This will fail
- # completely if we are chrooted and the config file isn't within the
- # dir we have chrooted to, or if we have dropped priveleges and no
- # longer have permission to read the config file! Some options cannot
- # be reread - namely those which require special privelidges (ie.
- # BindToDevice, Listen, Port, TransparentData) and the caching stuff.
- ####################################################################
- # Network Options #
- ####################################################################
- # Address to listen on - default is 0.0.0.0 If you are using an OS other
- # than Linux and are doing transparent proxying then you will need to set
- # this to the IP of a local interface. If using linux you could leave it
- # commented out to listen on all local IPs.
- #
- # Listen firewall.localnet
- Listen 192.168.2.1
- # Port to listen on. Must be supplied.
- #
- Port 2121
- # If specified then bind to this device
- #
- BindToDevice eth0
- # Whether to run from inetd. You should still define Port above, but
- # it isn't used for much.
- #
- # FromInetd yes
- # Stop frox from putting itself into the background. Use this if you want
- # to run frox from supervise from djb's daemontools
- #
- # NoDetach
- # A hack that should allow you to get away without putting resolver libraries
- # into the chroot jail. The default is fine unless for some reason you have
- # this hostname in /etc/hosts. If this sort of thing offends you, you may
- # comment this out and copy resolver libraries into the chroot jail instead.
- # See FAQ section 3.2 for details.
- #
- ResolvLoadHack wontresolve.doesntexist.abc
- # Another ftp proxy to forward on to. Frox will contact this ftp
- # proxy, and send it a login name of the form "user@host:port" where
- # host and port are the server frox should contact. If you set
- # FTPProxyNoPort then frox will send logins of the form user@host
- #
- # FTPProxy 192.168.2.9:2222
- # FTPProxyNoPort yes
- # Pick the IP frox should use for outgoing connections. You probably don't
- # need this, and it is not well tested.
- #
- # TcpOutgoingAddr
- # Pick the IP that frox should send in PASV replies to the client. Defaults
- # to the address frox received the control connection on which you shouldn't
- # need to change unless you are doing NAT between frox and your clients, or
- # are trying to tunnel connections using frox. See FAQ.
- #
- # PASVAddress
- ####################################################################
- # General Options #
- ####################################################################
- # User and group to drop priveliges to. This must be specified - if
- # you really want to run as root (not a good idea) you must say so
- # specifically, and have compiled with --enable-run-as-root.
- #
- # User nobody
- # Group nogroup
- # This is frox's working directory - it must be specified. Temporary
- # files and sockets will be created here. If you are using local
- # caching then the cache will be stored in this directory too. It
- # should be owned by frox with permissions 700. By default frox will
- # also chroot to this dir on startup. To avoid this you must specifically
- # set DontChroot to Yes.
- #
- # WorkingDir /usr/local/lib/frox
- # DontChroot Yes
- # Logging level. 0=No logging. 5=Critical errors only. 10= All errors.
- # 15=Errors, other important stuf. 20= Errors, connections, cache
- # hits/misses 25=Debug info including text of control session. By
- # default frox will log through syslog as facility daemon. If you want
- # frox to log to a file instead specify this in LogFile below. You may
- # set LogFile to "stderr" if you wish it to log there. XferLogging
- # defaults to on, and results in a one line log entry for each file
- # transferred irrespective of the log level. You can turn this off
- # below.
- #
- # LogLevel 15
- # LogFile /usr/local/lib/frox/frox-log
- # XferLogging no
- # File to store PID in. Default is not to. If this file is not within
- # the Chroot directory then it cannot be deleted on exit, but will
- # otherwise work fine.
- #
- PidFile /var/run/frox.pid
- ####################################################################
- # Ftp Protocol Options #
- ####################################################################
- # Active --> Passive conversion. If set then all outgoing connections
- # from the proxy will be passive FTP, regardless of the type of the
- # connection coming in. This makes firewalling a lot easier. Defaults
- # to no.
- #
- # APConv yes
- # Passive --> Active conversion. If set then all outgoing connections
- # from the proxy will be active FTP, regardless of the type of the
- # connection coming in. Defaults to no.
- # DO NOT USE WITH APConv!
- #
- # PAConv yes
- # Block PORT commands asking data to be sent to ports<1024 and
- # prevent incoming control stream connections from port 20 to
- # help depend against ftp bounce attacks. Defaults to on.
- #
- BounceDefend yes
- # If true then only accept data connections from the hosts the control
- # connections are to. Breaks the rfc, and defaults to off.
- #
- # SameAddress yes
- # Normally frox strips out nonprintable characters from the control
- # stream. This makes buffer overflow attacks on clients/servers much more
- # difficult. If you download files that contain non english characters
- # this may cause you problems (especially for big charsets like Chines).
- # In that case turn on this option.
- #
- # AllowNonASCII yes
- # Try to transparently proxy the data connections as well. Not
- # necessary for most clients, and does increase security risks. N.V.
- # You probably do _NOT_ need this option. It increases the complexity
- # of what frox has to do, increases the difficulty of setting frox up
- # correctly, and increases potential security risks. This has nothing
- # to do with whether your clients will be transparently proxied. If
- # you still want to use this option then read README.transdata for
- # details.
- #
- # TransparentData yes
- # Specify ranges for local ports to use for outgoing connections and
- # for sending out in PORT commands. By default these are all between
- # 40000 and 50000, but you might want to split them up if you have
- # complicated firewalling rules.
- #
- # ControlPorts 40000-40999
- # PassivePorts 41000-41999
- # ActivePorts 42000-42999
- # SSL/AUTH support. Frox must have been linked to the openssl libraries.
- # This is currently experimental, and only tested against vsftpd
- #
- # UseSSL yes
- # DataSSL no
- ####################################################################
- # Caching Options #
- ####################################################################
- # Caching options. There should be at most one CacheModule line, and
- # Cache lines to give the options for that caching module. CacheModule
- # is HTTP (rewrites ftp requests as HTTP and sends them to a HTTP
- # proxy like squid), or local (cache files locally). The relevant
- # module needs to have been compiled in at compile time. See FAQ for
- # details. If there are no CacheModule lines then no caching will be
- # done. "CacheModule None" explicitly requests no caching, and is
- # useful to turn off caching within a subsection (below).
- #
- # CacheModule local
- # CacheSize 400
- #
- # CacheModule http
- # HTTPProxy 127.0.0.1:3128
- # MinCacheSize 65536
- # ForceHTTP no # Set to yes to force http file retreiving even if
- # # file is not cacheable
- #
- # StrictCaching no # Read FAQ for details.
- # CacheOnFQDN yes # Read FAQ for details.
- #
- # CacheAll no # Set to yes to cache non anonymous ftp downloads
- # Virus scanning -- see FAQ
- #
- # VirusScanner '"/usr/bin/viruscan" "--option" "%s"'
- # VSOK 0
- # VSProgressMsgs 30
- ####################################################################
- # Access control #
- ####################################################################
- # Allow non-transparent proxying support. The user can connect
- # directly to frox, and give his username as user@host:port or
- # user@host. Defaults to no. NTPAddress gives the address to which
- # incoming connections must be addressed if the client is to be offered
- # non-transparent proxying. For most people using this it will be the same
- # as the Listen address above. If not given then all connections will be
- # offered non transparent proxying. If you are not using transparent
- # proxying at all then you should leave NTPAddress commented out.
- #
- # DoNTP yes
- # NTPAddress 192.168.2.1:2121
- # Number of seconds of no activity before closing session
- # Defaults to 300
- #
- # Timeout 300
- #Maximum number of processes to fork.
- #
- # MaxForks 0 # For debugging -- only one connection may be served.
- MaxForks 10
- # Maximum number of connections from a single host (IP address).
- MaxForksPerHost 4
- # Maximum number of bytes/second to be transferred over the data
- # connection for each client. MaxTransferRate limits downloads and
- # MaxUploadRate uploads. CacheDlRate is the rate for downloads of files
- # that are cached locally - if not set these files will be downloaded at
- # full speed.
- #
- # MaxTransferRate 4096
- # CacheDlRate 8192
- # MaxUploadRate 4096
- # Access control lists:
- # The format is: "ACL Allow|Deny SRC - DST [PORTS]"
- # SRC and DST may be in the form x.x.x.x, x.x.x.x/yy, x.x.x.x/y.y.y.y,
- # a dns name, or * to match everything.
- #
- # PORTS is a list of ports. If specified then the rule will only match
- # if the destination port of the connection is in this list. This is
- # likely only relevant if you are allowing non-transparent proxying of
- # ftp connections (ie. DoNTP is enabled above). Specifying * is equivalent
- # to not specifying anything - all ports will be matched
- #
- # Any connection that matches no rules will be denied. Since there are
- # no rules by default you'll need to add something to let any
- # connections happen at all (look at the last example if you are
- # feeling lazy/not bothered by security).
- #
- # # Examples:
- # # Allow local network to ftp to port 21 only, and block host ftp.evil
- # ACL Deny * - ftp.evil
- # ACL Allow 192.168.0.0/255.255.0.0 - * 21
- #
- # # Allow local network to ftp anywhere except certain dodgy ports. Network
- # # admin's machine can ftp anywhere.
- # ACL Allow admin.localnet - *
- # ACL Deny * - * 1-20,22-1024,6000-6007,7100
- # ACL Allow 192.168.0.0/16 - * *
- #
- # # You don't really believe in this security stuff, and just want
- # # everything to work.
- ACL Allow * - *
- # Command control program: A bit like the idea of a squid redirector.
- # By default the old interface is used so as not to break existing
- # installations. The new interface is much more powerful, and is
- # reccommended for new scripts -- set UseOldCCP to false to use it.
- # See the FAQ for details.
- #
- # CCProgram /usr/local/lib/frox/bin/ccp
- # UseOldCCP no
- ####################################################################
- # Subsections #
- ####################################################################
- # Matching rules the same as ACLS. Only some options can be specified
- # in a subsection (currently the yes/no options, timeout, and caching
- # options).
- #
- # SubSection * - ftp.dodgy.server
- # StrictCaching yes
- # EndSection
- #
- # SubSection * - 10.0.0.0/24 # A low latency high bandwidth connection
- # MinCacheSize 4096
- # EndSection
- #
- # Subsection * - ftp.localnetwork
- # # To disable caching if it has been turned on in a parent section
- # CacheModule None
- # EndSection
[ 本帖最后由 黑夜编码人 于 2006-10-12 10:44 编辑 ] |
|
免费注册
发表于 2006-08-19 11:00