  Frox FAQ
  James Hollingshead <jamesh@operamail.com>
  2001/03/30

  ______________________________________________________________________

  Table of Contents


  1. General
     1.1 What is frox?
     1.2 What can it do for me?
     1.3 What can't it do for me?
     1.4 Where can I get it?

  2. Configuration
     2.1 How do I configure frox?
     2.2 How should I configure my ftp clients?

  3. How does the caching work?
     3.1 I get an ``Unable to initialise cache'' error.
     3.2 I retrieved a file I had retrieved before and it doesn't seem to have been cached?

  4. Troubleshooting or Why doesn't it work?
     4.1 I can't connect to an ftp site through frox?
     4.2 Non transparent proxying won't work
     4.3 I still can't get it to work


  ______________________________________________________________________

  11..  GGeenneerraall

  11..11..  WWhhaatt iiss ffrrooxx??

  Frox is a transparent ftp proxy for linux written under the GPL.

  11..22..  WWhhaatt ccaann iitt ddoo ffoorr mmee??

  It will transparently proxy your ftp clients (duh). This means that
  any clients you have that are behind the proxy will believe that they
  are connecting to an ftp server as normal, but will actually be
  connecting to frox. Frox will do the onward connection to the remote
  server.

  It can also be set up to do non-transparent proxying. In this case the
  ftp client can connect directly to frox, but instead of logging in
  with ``username'' should log in with ``username@ftp.wherever.org''.

  On either of these sorts of connections it can do caching of files you
  download (still a bit experimental), or converting of data connections
  from active-->passive which can make firewalling rules a lot
  easier/safer.

  11..33..  WWhhaatt ccaann''tt iitt ddoo ffoorr mmee??

  It does not implement ftp proxy over HTTP. This means if you configure
  a web browser (eg. Netscape/Mozilla/IE) to use frox as their ftp proxy
  it won't work. If you leave them with ftp-proxy unconfigured then they
  should be transparently proxied like anything else.

  IPv6 is completely unimplemented



  11..44..  WWhheerree ccaann II ggeett iitt??

  Latest versions should be downloadable from the homepage at:
  http://frox.sourceforge.net/

  22..  CCoonnffiigguurraattiioonn

  22..11..  HHooww ddoo II ccoonnffiigguurree ffrrooxx??

  See the INSTALL file for details of compile time options and some
  configuration information. By default frox uses
  /usr/local/etc/frox.conf as a configuration file, but this can be
  changed either by giving --enable-configfile=/etc/whatever/you/want to
  the ./configure script, or by the -f command line option.

  The sample config file is well commented and the best documentation
  for configuration. Note you will need to edit some of these options
  for it to work at all.

  For the transparent proxying to work your kernel will need to be
  compiled with transparent proxy support and you will need to enable
  forwarding with ``echo 1 >> /proc/sys/net/ipv4/ip_forward''. You then
  need to redirect ftp requests passing through the box to frox. For
  kernel 2.2 this will be something like ``ipchains -A input -p tcp -s
  LOCALNET -d 0/0 21 -j REDIRECT 12345'', and for kernel 2.4, ``iptables
  -t nat -A PREROUTING -p tcp -s LOCALNET --dport 21 -j REDIRECT --to
  12345''.

  22..22..  HHooww sshhoouulldd II ccoonnffiigguurree mmyy ffttpp cclliieennttss??

  Normally you don't have to. Certainly don't set the ftp proxy variable
  in your browser or set your ftp_proxy environment variable to
  http://anything.

  If you are using non-transparent ftp proxying (set ``DoNTP'' to
  ``yes'' in the config file) and you have a ftp client which supports
  this (such as ncftp, or debian's apt-get ftp method) then you need to
  set it up to login with username ``username@host[:port]''. eg.
  ``anonymous@ftp.gnu.org'' or ``anonymous@ftp.gnu.org:21''. You can of
  course do this manually by typing in this when prompted for the
  username.

  33..  HHooww ddooeess tthhee ccaacchhiinngg wwoorrkk??

  With HTTP caching frox rewrites ftp retrieve requests in HTTP and
  sends them to a proxy server like squid which actually retrieves the
  file and does the caching. With local caching frox maintains its own
  cache of recently downloaded files on the hard disk.

  The HTTP caching implementation is probably a bit more stable and has
  the advantage that the cache is shared with any web browsers which use
  the same proxy directly for their ftp requests. Local caching is much
  faster (especially for small files) and lighter on network resources.

  Caching needs to be enabled at compile time by running ./configure
  with --enable-http-cache or --enable-local-cache. You can have both
  compiled in if you want.

  For HTTP caching your config file needs to say:



        CacheModule HTTP
        Cache HTTPProxy 192.168.2.1:3128 # proxy address
        # and optionally...
        Cache MinCacheSize 64000 # in bytes



  Files smaller than MinCacheSize will not be cached. Latency on small
  files can be really bad with this method since the HTTP proxy has to
  make a separate connection to the ftp server - setting MinCacheSize
  fairly high will help with this.

  For Local caching your config file should say:


             CacheModule Local
             Cache Dir /path/to/cache/dir
             # and optionally...
             Cache CacheSize 100 # in MB



  The directory specified in Dir needs to contain subdirectories 01, 02,
  ..., 0e, 0f. It also needs to be writable by the user frox has dropped
  its priveliges to. If CacheSize is unspecified the cache will grow
  indefinitely.

  33..11..  II ggeett aann ````UUnnaabbllee ttoo iinniittiiaalliissee ccaacchhee'''' eerrrroorr..

  Check that frox was compiled with support for the cache module you are
  attempting to use, and that you have given the correct Cache options
  for that module. If doing local caching then the user/group that frox
  is running as (ie. User/Group config options) must have read/write
  access to the cache directory. If doing http caching check that the
  http cache name resolves.

  33..22..  II rreettrriieevveedd aa ffiillee II hhaadd rreettrriieevveedd bbeeffoorree aanndd iitt ddooeessnn''tt sseeeemm ttoo
  hhaavvee bbeeeenn ccaacchheedd??

  Files are not cached for non-anonymous ftp sessions, or if the ftp
  server doesn't support the MDTM and SIZE extensions.  Additionally if
  the host's DNS name resolves to more than one IP address then the file
  will be cached, but frox has no way of knowing that the different IP
  addresses refer to the same host - unless your ftp client happens to
  pick the same IP both times you will not get the cached file back.

  44..  TTrroouubblleesshhoooottiinngg oorr WWhhyy ddooeessnn''tt iitt wwoorrkk??

  44..11..  II ccaann''tt ccoonnnneecctt ttoo aann ffttpp ssiittee tthhrroouugghh ffrrooxx??

  Look at the log file that frox produces and see if it gives you any
  clues. It should say ``Connect from A to B''. If it doesn't say
  anything then you aren't getting through to frox at all - check the
  config file to see frox is listening on the right address/interface.
  Have you remembered to do the ipchains/iptables command that is in the
  INSTALL file?

  If the log file suggests frox is connecting back to itself then you
  are probably contacting it directly and non-transparent proxying is
  switched off. Either switch non-transparent proxying on in the config
  file, or make sure that your ftp client is not trying to connect
  directly to frox - either from you specifying the frox machine as the
  ftp host on the command line, or from the client trying to use it
  explicitly as a proxy.

  Read the ``client configuration'' section again

  44..22..  NNoonn ttrraannssppaarreenntt pprrooxxyyiinngg wwoonn''tt wwoorrkk

  Version 6.0 changed it so that non-transparent proxying is only
  offered if the client has connected direct to the proxy machine. If
  you want the option of entering the host and port to connect to
  through the USER command then you need to have the client connect to
  the proxy rather than merely having the connection intercepted to go
  there.

  44..33..  II ssttiillll ccaann''tt ggeett iitt ttoo wwoorrkk

  Feel free to drop me a line at jamesh@operamail.com.  Please let me
  know what version of frox you are running, what version of the linux
  kernel, whether you gave any options to ./configure at compile time,
  and what point exactly it fails at. The log file should give you some
  info, and if you are feeling brave you could recompile with the
  --enable-debug option to ./configure and the log file will give you
  lots of information.



