Next Previous Contents

3. Configuration

3.1 Configuring frox

By default frox uses /usr/local/etc/frox.conf as a configuration file, but this can be changed either by giving --enable-configfile=/etc/whatever/you/want to the ./configure script, or by the -f command line option.

The sample config file is well commented and the best documentation for configuration. Note you will need to edit some of these options for it to work at all. You will also need to create a working directory for frox - see below.

For the transparent proxying to work your kernel will need to be compiled with transparent proxy support and you will need to enable forwarding with ``echo 1 >> /proc/sys/net/ipv4/ip_forward''. You then need to redirect ftp requests passing through the box to frox. For kernel 2.2 this will be something like ``ipchains -A input -p tcp -s LOCALNET -d 0/0 21 -j REDIRECT 2121'', and for kernel 2.4, ``iptables -t nat -A PREROUTING -p tcp -s LOCALNET --dport 21 -j REDIRECT --to 2121''.

You can configure frox to run from inetd with the FromInetd option. This will not work well with either the local caching or with TransparentData, but otherwise should be ok.

3.2 The Working Directory

Frox needs a working directory, specified in the config file. This is used for temporary files and sockets, for creating cache files in, and is also the directory frox will chroot to. This directory should be owned by root, permissions 0755, and frox will create the directory structure it needs in here. If you are doing virus scanning or using the command control program then these binaries, with any libraries they need, must also be added to this directory.

You may also have problems with resolving host names. Frox needs to resolve host names if you are using non transparent proxying, or if you are doing caching with CacheOnFQDN set to yes. There are two ways to fix this:

The quick and easy way is to define ResolvLoadHack in the config file to an address which is not defined in /etc/hosts. Frox will try and resolve this on startup and this will load the relevant resolver libraries. It doesn't matter if this address fails to resolve.

The other solution is to copy the resolver libraries into the chroot jail. For me it works with host.conf and resolv.conf in WorkingDir/etc/, and and in WorkingDir/lib/

3.3 How should I configure my ftp clients?

Normally you don't have to. Certainly don't set the ftp proxy variable in your browser or set your ftp_proxy environment variable to http://anything.

If you are using non-transparent ftp proxying (set ``DoNTP'' to ``yes'' in the config file) and you have a ftp client which supports this (such as ncftp, or debian's apt-get ftp method) then you need to set it up to login with ``username@host[:port]''. eg. ``'' or ``''. You can of course do this manually by typing this in when prompted for the username.

You may have a mixture of clients being transparently proxied and clients being non transparently proxied. In this case if you set the NTPAddress to the address/port you have told your non transparently proxied clients to contact the proxy on then only they will see frox's login banner. Clients which are transparently redirected to frox will see the login banner of the remote host they are contacting and will not be offered the chance to login with username@host:port.

Next Previous Contents