Using Filters

ProFTPD supports the ability to "filter" the FTP commands it receives from the client. These filters are written as regular expressions. This means that while the filters can be very powerful, they can also be complex and harder to construct.

First, there are the AllowFilter and DenyFilter configuration directives. These configuration directives are used to set filters on every FTP command. If an AllowFilter is used, the command parameters must match the given filter, otherwise the command will be denied. If a DenyFilter is used, the command parameters must not match the given filter, otherwise the command will be denied. If both AllowFilter and DenyFilter are used, then the AllowFilter will be checked first.

Second, there are some special filter configuration directives aimed at those FTP commands that cause changes to files and directories on the server system: PathAllowFilter and PathDenyFilter. Like AllowFilter and DenyFilter, the Allow filter, if present, is checked first, then a DenyFilter, if present. PathAllowFilter and PathDenyFilter are checked after the AllowFilter and DenyFilter directives. These Path filters are only applied to the following FTP commands: DELE, MKD/XMKD, RMD/XRMD, RNFR, RNTO, STOR, STOU, and to the SITE commands CHGRP and CHMOD. Note that using both PathAllowFilter and PathDenyFilter at the same time is not a good idea; only one filter is generally needed.

One property that often catches the unwary administrator is the fact that proftpd only operates on the first Filter directive defined in the configuration file; it does not cycle through multiple Filter directives. This is because multiple regular expressions can be combined into a single (albeit more complex) regular expression. The alternation metacharacter is helpful in creating such combined regular expressions. For example, if you had the following in your proftpd.conf:

  PathAllowFilter \.jpg$
  PathAllowFilter \.jpeg$
  PathAllowFilter \.mpeg$
  PathAllowFilter \.mpg$
  PathAllowFilter \.mp3$
only the first PathAllowFilter would be enforced. To enforce all Filter simultaneously, use:
  PathAllowFilter \.(jpg|jpgeg|mpeg|mpg|mp3)$
Matches are case-sensitive! Also note that if you surround your regular expression in quotation (") marks, any backslash will itself need to be escaped; ProFTPD's configuration parser interprets backslashes inside of quoted strings a little differently. Thus, the example above would look like this:
  PathAllowFilter "\\.(jpg|jpgeg|mpeg|mpg|mp3)$"
if using quotation marks.

Another characteristic to keep in mind is that Filters are only applied to FTP command parameters, not to the FTP command itself. Most of the time, this is not a problem. It would be useful sometimes, though, to be able to filter parameters of commands other than those filtered by the Path filter directives. It would be an easy change to the source code; however, there is no feature request for the ability to do this on with a good justification for such a feature. If you can think of one, please open such a request.

When developing your Filter directives, it often helps to keep an eye on the server debugging output, to see how well your filters are being applied.

Last Updated: $Date: 2007/08/17 00:11:26 $