Classes


What are Classes?
When configuring proftpd, it is sometimes nice, or even necessary, to tag or label a client as belonging to some group, based on that client's IP address or DNS hostname. A "class" is the name for such connection-based groupings in ProFTPD terms. A class is defined to have a name, and as having certain criteria such as IP addresses, IP subnets/masks, and DNS hostnames. A client that connects to the daemon that has matching characteristics is then labeled as belonging to that class.

How are Classes Defined?
To define a class, use a <Class> section in your proftpd.conf:

  <Class internal>
    From 192.168.0.0/16
  </Class>
This defines a class named "internal"; any client connecting from 192.168.0.0/16 will belong to this class. And if you wanted to define a class for all clients not connecting from 192.168.0.0/16 address space:
  <Class external>
    From !192.168.0.0/16
  </Class>
A more complicated class might include matching DNS names as well:
  <Class test>
    From 1.2.3.4
    From proxy.*.com
    From my.example.com
    From 5.6.7.8
  </Class>
This "test" class will then be used for a client with any of the defined characteristics.

Note that if your class rules use only DNS names, and proftpd is unable to resolve the IP address of a client to a DNS name, that class may not be matched as you might expect. This can be seen in the server debugging output, at level 10, as something like:

  comparing DNS name '1.2.3.4' to pattern 'proxy.*.com'
Here you see the 1.2.3.4 IP address, where a DNS name should be. In order for DNS name based class rules to function properly, both a) DNS resolution is needed (i.e. UseReverseDNS must be on, which is the default), and b) the IP address of a connecting client must be resolvable to a DNS name.

What if there are multiple classes defined, and the classes overlap, e.g. two classes both have:

  From *.example.com
Which one will be used for the connecting client? This will depend on the order in which classes are defined in the proftpd.conf file. When searching the list of classes for the one that matches the client, proftpd checks each class in the order in which they are defined. The first class definition that matches is used.

How do you define a class that includes all clients from a certain domain except one specific host in that domain? To define a class with these sorts of characteristics, use the Satisfy configuration directive:

  <Class foo>
    From *.example.com
    From !bad.example.com
    Satisfy all
  </Class>

How are Classes Used?
By itself, a class does nothing. It is merely a way to define a set of clients and to give that set a name. Once that name is defined, though, it can be use as part of your configuration. There are a limited number of configuration directives that make use of classes directly:

The AllowClass and DenyClass directives are the main directives to use, for example in <Limit> sections:
  <Limit ALL>
    AllowClass internal
    DenyAll
  </Limit>

The mod_ifsession module also makes use of classes with its <IfClass> configuration section. Using classes and mod_ifsession, you can write a proftpd.conf that has specific configurations for specific classes of clients. Here's an example snippet demonstrating use of <IfClass>:

  <IfClass internal>
    MaxClients 100
  </IfClass>

  <IfClass !internal>
    MaxClients 25
  </IfClass>
This allows clients from class "internal" to see an effective MaxClients limit of 100 simultaneous clients, and clients not in class "internal" to see an effective limit of only 25.


Last Updated: $Date: 2005/07/19 00:30:02 $