Dear All,
Linux Kernel 2.4.20-8
Running Shorewall 2.2.0
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:53:82:45 brd ff:ff:ff:ff:ff:ff
inet 62.68.254.178/28 brd 62.68.254.191 scope global eth0
inet 81.10.4.178/30 brd 81.10.4.179 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:53:82:09 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:53:8b:a9 brd ff:ff:ff:ff:ff:ff
inet 192.168.11.1/24 brd 192.168.11.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:53:8a:52 brd ff:ff:ff:ff:ff:ff
inet 192.168.168.1/24 brd 192.168.168.255 scope global eth3
81.10.4.176/30 dev eth0 scope link
62.68.254.176/28 dev eth0 scope link
192.168.2.0/24 dev eth1 scope link
192.168.168.0/24 dev eth3 scope link
192.168.11.0/24 dev eth2 scope link
169.254.0.0/16 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via 62.68.254.177 dev eth0
Running 3 NIC: FW DMZ WST (loc1) SVR (loc2)
I am simply trying to allow ftp connections from the local area network
to the external net, to go through an ftp proxy in the dmz, using frox
running on port 2121(running on a different server than the fw) . So
for clients in the loc zone connecting to an ftp site in the net zone,
I want them to go through the ftp proxy on port 2121 on machine
ftpproxy (in dmz) to the external net. However, for connections to the
ftp server running also in the DMZ, I want the connection to be
established with the server directly as usual. Only loc->net ftp
connections that should go through the ftp proxy, otherwise, any ftp
connections in the local zone from loc1 to loc2 would just work as
before.
TIA,
deya
Deya Motawie wrote:> > I am simply trying to allow ftp connections from the local area network > to the external net, to go through an ftp proxy in the dmz, using frox > running on port 2121(running on a different server than the fw) . So for > clients in the loc zone connecting to an ftp site in the net zone, I > want them to go through the ftp proxy on port 2121 on machine ftpproxy > (in dmz) to the external net. However, for connections to the ftp > server running also in the DMZ, I want the connection to be established > with the server directly as usual. Only loc->net ftp connections that > should go through the ftp proxy, otherwise, any ftp connections in the > local zone from loc1 to loc2 would just work as before.I haven''t tried it but it looks like you would do the same as for HTTP (see http://shorewall.net/Shorewall_Squid_Usage.html) with: a) Port 80 replaced by port 21. b) Port 3128 replaced by port 2121. c) The FTP conntrack module on the frox system configured to track port 2121 as well as port 21 (see http://shorewall.net/FTP.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Deya Motawie wrote: > > >>I am simply trying to allow ftp connections from the local area network >>to the external net, to go through an ftp proxy in the dmz, using frox >>running on port 2121(running on a different server than the fw) . So for >>clients in the loc zone connecting to an ftp site in the net zone, I >>want them to go through the ftp proxy on port 2121 on machine ftpproxy >>(in dmz) to the external net. However, for connections to the ftp >>server running also in the DMZ, I want the connection to be established >>with the server directly as usual. Only loc->net ftp connections that >>should go through the ftp proxy, otherwise, any ftp connections in the >>local zone from loc1 to loc2 would just work as before. > > > I haven''t tried it but it looks like you would do the same as for HTTP > (see http://shorewall.net/Shorewall_Squid_Usage.html) with: > > a) Port 80 replaced by port 21. > b) Port 3128 replaced by port 2121. > c) The FTP conntrack module on the frox system configured to track port > 2121 as well as port 21 (see http://shorewall.net/FTP.html).Sorry -- since there is a REDIRECT involved, the FTP nat module needs to be similarly configured. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Deya Motawie
2005-Feb-02 01:20 UTC
Re: FTP Transparent Proxy from Local To Net Through DMZ
Dear Tom, Thanks for your kind instructions and reply. I followed your steps, and tried to connect from the lan, ftp to a remote site, and looked at the log of frox running on the ftp proxy server (as the squid proxy server) with the following : Connect from xxxxxx to xxxxx Connection timed out when trying to connect to xx.xx.xx.xx S: 501 Proxy unable to contact ftp server Connect closed -- unable to contact server Closing session. Is this because I didn''t open the port for the remote ftp server to connect to my ftp proxy server after I issue the ftp command ? Thanks in advance, On Jan 31, 2005, at 10:00 PM, shorewall-users-request@lists.shorewall.net wrote:> Send Shorewall-users mailing list submissions to > shorewall-users@lists.shorewall.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.shorewall.net/mailman/listinfo/shorewall-users > or, via email, send a message with subject or body ''help'' to > shorewall-users-request@lists.shorewall.net > > You can reach the person managing the list at > shorewall-users-owner@lists.shorewall.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Shorewall-users digest..." > > > Today''s Topics: > > 1. Re: FTP Transparent Proxy from Local To Net Through DMZ > (Tom Eastep) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 31 Jan 2005 10:17:12 -0800 > From: Tom Eastep <teastep@shorewall.net> > Subject: Re: [Shorewall-users] FTP Transparent Proxy from Local To Net > Through DMZ > To: Mailing List for Shorewall Users > <shorewall-users@lists.shorewall.net> > Message-ID: <41FE7628.60503@shorewall.net> > Content-Type: text/plain; charset=ISO-8859-1 > > Tom Eastep wrote: >> Deya Motawie wrote: >> >> >>> I am simply trying to allow ftp connections from the local area >>> network >>> to the external net, to go through an ftp proxy in the dmz, using >>> frox >>> running on port 2121(running on a different server than the fw) . So >>> for >>> clients in the loc zone connecting to an ftp site in the net zone, I >>> want them to go through the ftp proxy on port 2121 on machine >>> ftpproxy >>> (in dmz) to the external net. However, for connections to the ftp >>> server running also in the DMZ, I want the connection to be >>> established >>> with the server directly as usual. Only loc->net ftp connections >>> that >>> should go through the ftp proxy, otherwise, any ftp connections in >>> the >>> local zone from loc1 to loc2 would just work as before. >> >> >> I haven''t tried it but it looks like you would do the same as for HTTP >> (see http://shorewall.net/Shorewall_Squid_Usage.html) with: >> >> a) Port 80 replaced by port 21. >> b) Port 3128 replaced by port 2121. >> c) The FTP conntrack module on the frox system configured to track >> port >> 2121 as well as port 21 (see http://shorewall.net/FTP.html). > > Sorry -- since there is a REDIRECT involved, the FTP nat module needs > to > be similarly configured. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > End of Shorewall-users Digest, Vol 26, Issue 71 > *********************************************** >
Deya Motawie wrote:> I followed your steps, and tried to connect from the lan, ftp to a > remote site, and looked at the log of frox running on the ftp proxy > server (as the squid proxy server) > with the following : > > Connect from xxxxxx > to xxxxx > Connection timed out when trying to connect to xx.xx.xx.xx > S: 501 Proxy unable to contact ftp server > Connect closed -- unable to contact server > Closing session. > > Is this because I didn''t open the port for the remote ftp server to > connect to my ftp proxy server after I issue the ftp command ? >If you want my help, you need to provide the information requested at http://shorewall.net/support.htm. Pay particular attention to the part that begins "THIS IS IMPORTANT!!". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Deya Motawie
2005-Feb-02 02:40 UTC
Re: FTP Transparent Proxy from Local To Net Through DMZ
Dear Tom,
[root@a310 shorewall]# shorewall version
2.2.0
[root@a310 shorewall]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:53:82:45 brd ff:ff:ff:ff:ff:ff
inet 62.68.254.178/28 brd 62.68.254.191 scope global eth0
inet 81.10.4.178/30 brd 81.10.4.179 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:53:82:09 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:53:8b:a9 brd ff:ff:ff:ff:ff:ff
inet 192.168.11.1/24 brd 192.168.11.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:53:8a:52 brd ff:ff:ff:ff:ff:ff
inet 192.168.168.1/24 brd 192.168.168.255 scope global eth3
[root@a310 shorewall]# ip route show
81.10.4.176/30 dev eth0 scope link
62.68.254.176/28 dev eth0 scope link
192.168.2.0/24 dev eth1 scope link
192.168.168.0/24 dev eth3 scope link
192.168.11.0/24 dev eth2 scope link
169.254.0.0/16 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via 62.68.254.177 dev eth0
Also the status file is attached.
Regards,
Deya
On Feb 2, 2005, at 3:37 AM, shorewall-users-request@lists.shorewall.net
wrote:
> Re: [Shorewall-users] FTP Transparent Proxy from Local To Net
Deya Motawie wrote:> > > Also the status file is attached. >I don''t see anything other than you apparently had to add a rule to the Mangle table PREROUTING chain directly because you put the wrong marking rule in tcrules (your tcrules entry has port 80 rather than port 21). That having been said, I don''t understand how transparent FTP can possibly work anyway (espectially when the proxy isn''t on the firewall) so I''m not going to be much more help. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Deya Motawie wrote: > > >> >>Also the status file is attached. >> > > > I don''t see anything other than you apparently had to add a rule to the > Mangle table PREROUTING chain directly because you put the wrong marking > rule in tcrules (your tcrules entry has port 80 rather than port 21). > > That having been said, I don''t understand how transparent FTP can > possibly work anyway (espectially when the proxy isn''t on the firewall) > so I''m not going to be much more help.As the Frox documentation says, if you want transparent data then the proxy needs to be on a system on the default route (which yours isn''t) and needs libipt (which means that it is trying to use the private userspace<->kernel interface used by iptables -- almost guaranteed to be incompatible with Shorewall or any other iptables configuration package). If you are not doing transparent proxy of data connections, then I don''t understand what transparent FTP buys you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Deya Motawie
2005-Feb-02 12:41 UTC
Re: FTP Transparent Proxy from Local To Net Through DMZ
Tom, Thanks. Do you suggest to have the ftp proxy on the fw ? In this case, which part should I follow from your docs ? just the transparent ftp ? Grateful if you point me to the right doc or link, before I start moving the ftp proxy on my fw. Thanks again for all your help. On Feb 2, 2005, at 5:22 AM, shorewall-users-request@lists.shorewall.net wrote:> Re: FTP Transparent Proxy from Local To Net Through
Tom Eastep
2005-Feb-02 16:06 UTC
Re: Re: FTP Transparent Proxy from Local To Net Through DMZ
Deya Motawie wrote:> Tom, > > Thanks. Do you suggest to have the ftp proxy on the fw ? > > In this case, which part should I follow from your docs ? just the > transparent ftp ? > > Grateful if you point me to the right doc or link, before I start moving > the ftp proxy on my fw. >There aren''t any FTP transparent proxy docs in the Shorewall collection. As I said in my previous post, I find the whole idea rather strange. I guess that you want to be able to police your user''s FTP usage rather than provide a cache of downloaded files -- is that it? Because using Shorewall (or any other iptables configuration tool), it is VERY unlikely that you will ever get transparent data connections to work. If you don''t want transparent data then you MIGHT be able to make the setup that you currently have work -- you need to debug it though to see. How to debug? a) Start by confirming that you can reach the remote FTP server from the Frox system (simply use the command line ftp client from that system). b) Use the command line ftp client from one of the systems behind the firewall to test and turn on debugging (see the Shorewall FTP documentation for examples). c) Use a packet sniffer (for newbies, I recommend Ethereal) to watch (in this order): - Traffic from the firewall to the Frox server. - Traffic from the Frox server back to the firewall. - Traffic from the firewall to the Internet (this will be different from the prior traffic because of SNAT. As a bonus, you will learn a lot about how FTP works (if nothing else). In particular, since you are not proxying data connections, those connections will be between the client and server systems and will not involve Frox (this is the part that I believe might have problems with the Frox system running on the DMZ). At any rate, my advice still stands -- use the Squid documentation and substitute port numbers as I mentioned in my last message. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Dear Tom, Thanks for your prompt reply. Ok, that will raise my original problem, which is when I am trying to download files through the web, using the proxy,squid, which doesn''t handle ftp proxies. Hence, I thought a transparent proxy would solve the problem running with squid, on the same machine. Having said that, any other solution that would work with any web browser requesting files to be downloaded through an ftp connection, will do the job. Please advise on any other feasible solutions. Thanking you in advance, Deya On Feb 2, 2005, at 2:41 PM, shorewall-users-request@lists.shorewall.net wrote:> FTP Transparent Proxy from Local To Net
Deya Motawie wrote:> Ok, that will raise my original problem, which is when I am trying to > download files through the web, using the proxy,squid, which doesn''t > handle ftp proxies. Hence, I thought a transparent proxy would solve the > problem running with squid, on the same machine. Having said that, any > other solution that would work with any web browser requesting files to > be downloaded through an ftp connection, will do the job. Please advise > on any other feasible solutions. >Before your thread, I was unaware of any attempts to offer transparent FTP proxying -- I''m afraid that I''m unable to help you. Perhaps someone else on the list has experience in this area. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Cristian Rodriguez
2005-Feb-02 20:58 UTC
Re: FTP Transparent Proxy from Local To Net Through DMZ
can you explain us why you need and ftp proxy? maybe we can find other solution for the problem... AFAIK its not for caching. you need some kind of control over FTP transfers..why? On Wed, 2 Feb 2005 21:48:23 +0200, Deya Motawie <deya@citga.com> wrote:> Dear Tom, > > Thanks for your prompt reply. > Ok, that will raise my original problem, which is when I am trying to > download files through the web, using the proxy,squid, which doesn''t > handle ftp proxies. Hence, I thought a transparent proxy would solve > the problem running with squid, on the same machine. Having said that, > any other solution that would work with any web browser requesting > files to be downloaded through an ftp connection, will do the job. > Please advise on any other feasible solutions. > > Thanking you in advance, > > Deya > > On Feb 2, 2005, at 2:41 PM, shorewall-users-request@lists.shorewall.net > wrote: > > > FTP Transparent Proxy from Local To Net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Cristian Rodriguez
2005-Feb-02 21:00 UTC
Re: FTP Transparent Proxy from Local To Net Through DMZ
can you explain us why you need and ftp proxy? maybe we can find other solution for the problem... AFAIK its not for caching. you need some kind of control over FTP transfers..why? I agree with Tom..the idea is a little strange,and probably will not work at all. On Wed, 2 Feb 2005 21:48:23 +0200, Deya Motawie <deya@citga.com> wrote:> Dear Tom, > > Thanks for your prompt reply. > Ok, that will raise my original problem, which is when I am trying to > download files through the web, using the proxy,squid, which doesn''t > handle ftp proxies. Hence, I thought a transparent proxy would solve > the problem running with squid, on the same machine. Having said that, > any other solution that would work with any web browser requesting > files to be downloaded through an ftp connection, will do the job. > Please advise on any other feasible solutions. > > Thanking you in advance, > > Deya > > On Feb 2, 2005, at 2:41 PM, shorewall-users-request@lists.shorewall.net > wrote: > > > FTP Transparent Proxy from Local To Net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Simon Matter
2005-Feb-03 06:30 UTC
Re: FTP Transparent Proxy from Local To Net Through DMZ
> Dear Tom, > > Thanks for your prompt reply. > Ok, that will raise my original problem, which is when I am trying to > download files through the web, using the proxy,squid, which doesn''t > handle ftp proxies. Hence, I thought a transparent proxy would solve > the problem running with squid, on the same machine. Having said that, > any other solution that would work with any web browser requesting > files to be downloaded through an ftp connection, will do the job. > Please advise on any other feasible solutions.I''m using jftpgw from http://www.mcknight.de/jftpgw/ in different configurations and it has always worked fine. For a transparent proxy on the firewall itself, the following config works: in /etc/jftpgw.conf: transparent-proxy on in /etc/shorewall/rules: REDIRECT loc 2370 tcp ftp I''ve also built rpms for jftpgw which is available here: http://www.invoca.ch/pub/packages/jftpgw/ HTH, Simon> > Thanking you in advance, > > Deya > > > On Feb 2, 2005, at 2:41 PM, shorewall-users-request@lists.shorewall.net > wrote: > >> FTP Transparent Proxy from Local To Net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >
Miguel Espejo
2005-Feb-22 16:21 UTC
Re: FTP Transparent Proxy from Local To Net Through DMZ
Use a socks server in your firewall if you want a good client with sock support use filezilla. Cristian Rodriguez wrote:>can you explain us why you need and ftp proxy? >maybe we can find other solution for the problem... > >AFAIK its not for caching. >you need some kind of control over FTP transfers..why? > >I agree with Tom..the idea is a little strange,and probably will not >work at all. > > >On Wed, 2 Feb 2005 21:48:23 +0200, Deya Motawie <deya@citga.com> wrote: > > >>Dear Tom, >> >>Thanks for your prompt reply. >>Ok, that will raise my original problem, which is when I am trying to >>download files through the web, using the proxy,squid, which doesn''t >>handle ftp proxies. Hence, I thought a transparent proxy would solve >>the problem running with squid, on the same machine. Having said that, >>any other solution that would work with any web browser requesting >>files to be downloaded through an ftp connection, will do the job. >>Please advise on any other feasible solutions. >> >>Thanking you in advance, >> >>Deya >> >>On Feb 2, 2005, at 2:41 PM, shorewall-users-request@lists.shorewall.net >>wrote: >> >> >> >>> FTP Transparent Proxy from Local To Net >>> >>> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm >> >> >> >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >
Gary Buckmaster
2005-Feb-22 16:39 UTC
Re: FTP Transparent Proxy from Local To Net Through DMZ
> >>Thanks for your prompt reply. > >>Ok, that will raise my original problem, which is when I am trying to > >>download files through the web, using the proxy,squid, which doesn''t > >>handle ftp proxies.It doesn''t? Since when? I''m using squid to transparently proxy (and cache) ftp and http requests without any trouble.
Gary Buckmaster wrote:>>>>Thanks for your prompt reply. >>>>Ok, that will raise my original problem, which is when I am trying to >>>>download files through the web, using the proxy,squid, which doesn''t >>>>handle ftp proxies. > > > It doesn''t? Since when? I''m using squid to transparently proxy (and > cache) ftp and http requests without any trouble. >I''m confused -- from the Squid FAQ: ------------------------------------------------------------------------ 12.17 Can I make my regular FTP clients use a Squid cache? Nope, its not possible. Squid only accepts HTTP requests. It speaks FTP on the server-side, but not on the client-side. The very cool wget will download FTP URLs via Squid (and probably any other proxy cache). ------------------------------------------------------------------------- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Eduardo Ferreira
2005-Feb-22 17:08 UTC
Re: FTP Transparent Proxy from Local To Net Through DMZ
Tom Eastep wrote on 22/02/2005 13:55:32:> Gary Buckmaster wrote: > > It doesn''t? Since when? I''m using squid to transparently proxy (and > > cache) ftp and http requests without any trouble. > > > > I''m confused -- from the Squid FAQ: > ------------------------------------------------------------------------ > 12.17 Can I make my regular FTP clients use a Squid cache? > > Nope, its not possible. Squid only accepts HTTP requests. It speaks FTP > on the server-side, but not on the client-side. > > The very cool wget will download FTP URLs via Squid (and probably any > other proxy cache). >-------------------------------------------------------------------------> > -TomTom, if I start my browser in any internal workstation, enter ftp://ftp.mozilla.org/ in its address bar, I get this piece of tcpdump in the external interface of my firewall/proxy (I lost the first few packets): [root@fwdmzatt shorewall]# tcpdump -i eth0 host ftp.mozilla.org tcpdump: listening on eth0 14:03:30.126483 ns02.icatu.com.br.knetd > mozilla.cs.utah.edu.ftp: R 3257707667:3257707667(0) ack 2104517053 win 0 (DF) [tos 0x10] 14:03:33.051899 ns02.icatu.com.br.2055 > mozilla.cs.utah.edu.ftp: P 3935811836:3935811842(6) ack 2102765020 win 64199 (DF) [tos 0x10] 14:03:33.238423 mozilla.cs.utah.edu.ftp > ns02.icatu.com.br.2055: P 1:15(14) ack 6 win 5840 (DF) 14:03:33.239799 ns02.icatu.com.br.2055 > mozilla.cs.utah.edu.ftp: P 6:17(11) ack 15 win 64185 (DF) [tos 0x10] 14:03:33.425845 mozilla.cs.utah.edu.ftp > ns02.icatu.com.br.2055: P 15:52(37) ack 17 win 5840 (DF) 14:03:33.426732 ns02.icatu.com.br.2055 > mozilla.cs.utah.edu.ftp: P 17:25(8) ack 52 win 64148 (DF) [tos 0x10] hence, squid can proxy ftp - at least here... cheers ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Eduardo Ferreira wrote:> Tom Eastep wrote on 22/02/2005 13:55:32: > >>Gary Buckmaster wrote: >> >>>It doesn''t? Since when? I''m using squid to transparently proxy (and >>>cache) ftp and http requests without any trouble. >>> >> >>I''m confused -- from the Squid FAQ: >>------------------------------------------------------------------------ >>12.17 Can I make my regular FTP clients use a Squid cache? >> >>Nope, its not possible. Squid only accepts HTTP requests. It speaks FTP >>on the server-side, but not on the client-side. >> >>The very cool wget will download FTP URLs via Squid (and probably any >>other proxy cache). >> > > ------------------------------------------------------------------------- > >>-Tom > > Tom, > > if I start my browser in any internal workstation, enter > ftp://ftp.mozilla.org/ in its address bar, I get this piece of tcpdump in > the external interface of my firewall/proxy (I lost the first few > packets): > > [root@fwdmzatt shorewall]# tcpdump -i eth0 host ftp.mozilla.org > tcpdump: listening on eth0 > 14:03:30.126483 ns02.icatu.com.br.knetd > mozilla.cs.utah.edu.ftp: R > 3257707667:3257707667(0) ack 2104517053 win 0 (DF) [tos 0x10] > 14:03:33.051899 ns02.icatu.com.br.2055 > mozilla.cs.utah.edu.ftp: P > 3935811836:3935811842(6) ack 2102765020 win 64199 (DF) [tos 0x10] > 14:03:33.238423 mozilla.cs.utah.edu.ftp > ns02.icatu.com.br.2055: P > 1:15(14) ack 6 win 5840 (DF) > 14:03:33.239799 ns02.icatu.com.br.2055 > mozilla.cs.utah.edu.ftp: P > 6:17(11) ack 15 win 64185 (DF) [tos 0x10] > 14:03:33.425845 mozilla.cs.utah.edu.ftp > ns02.icatu.com.br.2055: P > 15:52(37) ack 17 win 5840 (DF) > 14:03:33.426732 ns02.icatu.com.br.2055 > mozilla.cs.utah.edu.ftp: P > 17:25(8) ack 52 win 64148 (DF) [tos 0x10] > > hence, squid can proxy ftp - at least here...It can proxy FTP from a browser when the browser is configured to use Squid as a proxy, yes. If you trace the communication between the browser and the proxy, you''ll find that port 80 is being used, not port 21. I think you''ll determine that, as the FAQ says, FTP is spoken only on the server side. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Eduardo Ferreira
2005-Feb-22 17:29 UTC
Re: FTP Transparent Proxy from Local To Net Through DMZ
Tom Eastep wrote on 22/02/2005 14:22:43:> It can proxy FTP from a browser when the browser is configured to use > Squid as a proxy, yes. > > If you trace the communication between the browser and the proxy, you''ll > find that port 80 is being used, not port 21. I think you''ll determine > that, as the FAQ says, FTP is spoken only on the server side. >I stand corrected. ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606