On Thursday 08 February 2001 23:35, Nix wrote:
At 12:00 PM 9/02/2001, you wrote:
On Thursday 08 February 2001 20:27, you wrote:
At 10:31 PM 5/02/2001, you wrote:
Ftp will only work as ftp over http (e.g. the ftp your browser uses)
This is only partially correct. It is actually not possible to transparently redirect ftp due to the number of ports it uses.
This is only partially correct. You can't transparently redirect active ftp, but I guess it's possible to do it with passive ftp, just with some PASV tricks. Take a look at suseproxysuite, it _almost_ implement it.
Nope.. I run SuSE proxy suite.. It doesn't do this AT ALL. It is simply an ftp proxy. NOT a transparent one, although they may be adding this in future, I'm not sure.
Well, I run SuSE proxy suite 1.7 and if you take a look at the file TRANSPARENT_PROXY.txt with the docs you'll see that it's possible, but it's unstable code. You can also take a look at mmtcpfw, a ftp proxy/tcp redirector
Transparent redirection is quite different to transparent proxying!!! What you are suggesting with "some PASV tricks" would definately NOT be a firewall rule but rather and application level proxy (like TIS) in conjunction with packet filter rules..
OK, I really misunderstood when you said transparent redirection. SuSE Proxy Suite and TIS are application level + some ip level redirection. Passive ftp use predictables ports so you can redirect it. But you must intercept PORT/PASV, LPRT/LPSV and EPRT/EPSV and rewrite accordingly. I know it's application level, but so is mod_masq_ftp. This is the PASV trick I was talking about. AFAIK, except for some terminology (proxy, redirection, ip, application), it's possible to redirect passive ftp traffic this way. []s Davi
TIS infact CAN transparently proxy active ftp. My last email was pointing out that there is currently no way to do this on Linux without TIS which does not have a viable license for most people.
You can transparently proxy ftp, but not with squid. The only transparent ftp proxy that currently works on Linux (that I know of) is the one in the TIS Firewall Toolkit (http://www.tis.com) (This is the same one that is in gauntlet firewall on solaris) TIS has a very restrictive liscence, basically you have to be an educational institution, or you have to buy gauntlet.
You may wish to wait for SuSE 7.1 with kernel 2.4.x with all the netfilter and iptables stuff as it is much more powerful. I had a long talk to Rusty and a one of the other Linux firewall people at http://linux.conf.au and Rusty is talking about adding some transparent application level proxies to netfilter, but this probably will not happen for 6 months. (Rusty is the guy who wrote IPCHAINS as well as NETFILTER and IPTABLES and all the associated kernel bells and whistles) I hope he does do this in the near future, as it will mean linux has something that NO other OS does except Solaris with the addition of Gauntlet. (I have offered to do the documentation of some of this stuff for him, so you can be sure that I'll let you know when it happens :-)
So, to clarify, you CAN transparently redirect ftp over http by virtue that it is a http stream, however the only way to make you browser do ftp over http instead of normal ftp is to tell it that you have a proxy, which sorta defeats the purpose of transparent redirection. Sorry to give you the bad news... This is all in the squid doco if you feel like reading up on it more..
Cheers
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com