An FTP server can be a very useful way to transfer files too big for e-mail or instant messaging. The default ftpd that comes with FreeBSD isn't bad, but proftpd has many more features, so its my FTP server of choice right now. If you have a dynamic ip address it will be extremely useful to enable the no-ip service to allow access to wan clients. Then we'll setup the proftpd server.
No-ip
In order to allow users from outside of our lan to use the ftp, we'll need to setup no-ip. First go to www.no-ip.info and register an account for free. Once you are logged in go to the Downloads Tab, and Select Linux/BSD/Unix as your system. Save the client to a conenvient location, and cd to that directory.
tar -xf noip-duc-linux.tar.gz
cd noip-2.1.1
make
make install
Now we'll get a prompt to enter some information.
bsd# make install
if [ ! -d /usr/local/bin ]; then mkdir -p /usr/local/bin;fi
if [ ! -d /usr/local/etc ]; then mkdir -p /usr/local/etc;fi
cp noip2 /usr/local/bin/noip2
/usr/local/bin/noip2 -C -Y -c /tmp/no-ip2.conf
Auto configuration for Linux client of no-ip.com.
Multiple network devices have been detected.
Please select the Internet interface from this list.
By typing the number associated with it.
0 rl0
1 M
2
3 þ
4
5
6
7
8
9
10
11
Enter the appropriate number and hit enter.
You should be able to recognize your network interface, in my case it is rl0, so I choose '1'.
Please enter the login/email string for no-ip.com user@name.com
Please enter the password for user 'user@name.com' ***********
Enter the email address that you used for your no-ip account, and the corresponding password.
Only one host [username.no-ip.info] is registered to this account.
It will be used.
Please enter an update interval:[30]
If you have multiple accounts you will have to choose one. Otherwise, it will choose for you, like in my case. Hit 'enter' to take the default interval of 30 minutes. It should be sufficient.
Do you wish to run something at successful update?[N] (y/N) N
It is not necessary to run anything on successful update.
New configuration file '/tmp/no-ip2.conf' created.
mv /tmp/no-ip2.conf /usr/local/etc/no-ip2.conf
Perfect, now we just need to create an rc script to set noip to run at startup (this will automatically update our dynamic ip address to keep our hostname linked to our current ip address).
vi /usr/local/etc/rc.d/noip2
Add these lines:
#!/bin/sh
#
# PROVIDE: noip2
# REQUIRE: DAEMON
# BEFORE: proftpd
. /etc/rc.subr
name="noip2"
rcvar=`set_rcvar`
command="/usr/local/bin/noip2"
load_rc_config $name
run_rc_command "$1"
Don't really worry about the details of the script, just note that we have set it up to run before proftpd starts up at boot time. Now to make it exectuable:
chmod +x /usr/local/etc/rc.d/noip2
Like our other rc scripts, we're going to have to add a line to rc.conf:
vi /etc/rc.conf
The line is:
noip2_enable=yes
You can change the line as necessary if you ever desire to disable noip. Now let's start noip for the first time (which will normally occur when we boot up).
/usr/local/etc/rc.d/noip2 start
Proftpd
Now that we've finished that, we can setup the server.
cd /usr/ports/ftp/proftpd
make install clean
That was painless enough. Don't worry though, there's plenty of configuration to come.
vi /etc/rc.conf
Add the following line:
proftpd_enable="yes"
Now we need to set create proftpd.scoreboard; otherwise proftpd won't start.
touch /var/run/proftpd.scoreboard
With that done we will set up our ftp group.
pw groupadd -n ftp
We added the group ftp to the system. Now it's time for us to set up the directory structure for Mr. FTP.
mkdir /home/ftp
cd /home/ftp
mkdir in pub
chown nobody in
chmod 5777 in
All right. /home/ftp is the root of our FTP server, in is for incoming files, and pub is for files you want to be downloadable. Make sure that only root can write to pub so people can't overwrite your files in there. The chown and chmod on in will ensure that users cannot overwrite eachother's files. It's possible that's not all you want for your directory structure. For instance you may have a lot of files saved in an area you don't want to move to ftp's home, but want accessible on the server. You would handle such a case like so:
mkdir /home/ftp/pub/media
mount_nullfs /fat/media /home/ftp/pub/media
Now an ftp user would be able to download files from /fat/media (/fat is the mounted partition). You probably don't want to give write permissions to this directory though! Of course you will want to set up a corresponding entry in fstab to do this all of the time.
/fat/media /home/ftp/pub/media nullfs rw 0 0
Now it's time to configure the server itself.
vi /usr/local/etc/proftpd.conf
If you'd like to save yourself some typing, you may download my configuration here. I will go over what each of these pieces mean.
ServerName "FTP"
ServerType standalone
DefaultServer on
DefaultRoot /home/ftp
This is some very basic configuration. The first line of course is the server's name. Choose as you please. You will definately want standalone for the second line; otherwise you'll have to mess around with inetd. Default root will set the root of the ftp. What it will do is make /home/ftp the root of the server, so users won't be able to cd to /. I don't want users to be browsing any other files on my computer. On to the next section.
Umask 022
MaxInstances 30
User nobody
Group nogroup
AllowOverwrite off
This is some of the user configuration. This is straight out of the default config, so don't worry about it.
MasqueradeAddress username.no-ip.info
Port 50000
AllowForeignAddress on
PassivePorts 50001 52000
This is configuration for outside access to the server. First, replace username with your no-ip username. Then you must choose a port range on which you will run the ftp server. Because many hosts block port 21, you'll probably want to choose another one, in the high port range. In my case, I need to then forward ports 50000-52000 to my computer. Naturally, you'll want to have a static ip address setup.
AllowOverwrite off
AllowRetrieveRestart on
Those lines will not allow overwriting of files, and will allow users to resume downloads.
ScoreboardFile /var/run/proftpd.scoreboard
SystemLog /var/log/proftpd.sys
TransferLog /var/log/proftpd.xfer
ServerLog /var/log/proftpd.serv
There's the scoreboard file we created earlier. The next three lines all have to do with logging. It is not necessary, but I definately recommend keeping logs for troubleshooting and monitoring of traffic.
<Limit SITE_CHMOD>
DenyAll
</Limit>
We will deny users the ability to change permissions on the ftp.
<Limit LOGIN>
DenyAll
AllowUser ftpuser
</Limit>
This will limit all logins except for ftpuser (some user on your system). You can add as many of these AllowUser lines as necessary. Later on we'll allow anonymous logins.
<Limit ALL>
DenyAll
</Limit>
What we are doing here is giving ourselves a clean slate to work with. We are denying all ftp commands, so were we to not add allow statements later on, a user could do nothing. This will make sure users aren't doing things we don't want them to do.
<Limit CDUP CWD LIST PWD>
AllowAll
</Limit>
Now we are allowing users to cd, ls, and pwd.
<Directory /home/ftp/in>
<Limit STOR STOU>
Allowall
</Limit>
</Directory>
This is for our uploads directory (/in). We are allowing users to 'put' files into this directory. However, we have overwriting and deleting blocked.
<Directory /home/ftp/pub>
<Limit READ>
AllowAll
</Limit>
</Directory>
This is for our downloads directory (/pub), and all subdirectories. This will allow users to 'get' files from this directory. Of course they can't delete or write or do any other things we would not like.
We've set up a server for users so far, but if you are interested in an anonymous ftp here is the relevant configuration:
MaxClients 10
<Anonymous /home/ftp>
<Limit LOGIN>
AllowAll
</Limit>
User ftp
Group ftp
UserAlias anonymous ftp
RequireValidShell off
</Anonymous>
Add all of that if you want anonymous logins, otherwise leave it out. Thus concludes our configuration. The file is read only so to save it:
:w!
If you are going to use the anonymous config, you'll probably want to remove any users from the LOGIN directive. Also, you'll need to configure an ftp user.
vipw
This will allow us to create the ftp user. The editing is done in the same fashion as vi. Either find the line for the ftp user and edit it to match mine, or add the following line:
ftp:*:14:14:ftp:0:0:Mr. FTP:*:*
We've basically made a user with no valid password, no valid home directory, and no valid shell. It won't be used for any purposes other than this ftp. Now that the configuration is done, let's get our server started.
/usr/local/etc/rc.d/proftpd.sh start
Now is the time for you to test your ftp to make sure everything is working. I suggest using ftp on the command line, but alternatively you may use gftp, which is conveniently located in our apps section. Test uploading and downloading. Once you're convinced things are working nicely, get someone outside of your lan to test for you. If you have trouble, be sure to take a look at the server logs.