Hi! On Thu, Jun 28, 2001 at 08:02:45AM -0400, Brett Lee wrote:
On Thu, 28 Jun 2001, Marius Tomaschewski wrote:
On Tue, Jun 26, 2001 at 11:39:17AM -0400, Brett wrote:
Can someone tell me what configuration option specifies who can connect? I do not have tcp wrappers compiled in.
Thanks.
linux.ndr.com:/etc/proxy-suite# grep ftp /etc/inetd.conf #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a ftp stream tcp nowait root /usr/local/proxy-suite/ftp-proxy ftp-proxy # Tftp service is provided primarily for booting. Most sites #tftp dgram udp wait root /usr/sbin/tcpd in.tftpd linux.ndr.com:/etc/proxy-suite# /usr/local/proxy-suite/ftp-proxy -c Config-Section ------ '(-global-)' Config: AllowMagicUser = 'yes' Config: DenyMessage = '/etc/proxy-suite/ftp-deny.txt' ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Config: DenyString = 'Service out of order' ^^^^^^^^^^^^^^^^^^^^^^
Leave these options out. They causes, the proxy says "Service out of order" to all clients trying to connect. That's all.
Thanks, but, I don't want to let _all_ clients connect. Only those on the inside of our firewall. We want to use this proxy as a way to put ^^^^^^^^^^^^^^^^^^^^^^^^^^
OK, this is your intention.
files we have created onto other sites ftp servers. I realize that the proxy suite is primarily for incoming ftp, but we want to use it ^^^^^^^^^^^^^^^^^^^^^^^^^^ not really. it supports both directions.
exclusivly for outgoing ftp (much like the fwtk @ www.tis.com). Have read _all_ the doc I can find 2-3 times, and can find nothing on this.
To use the proxy for outgoing connections you have to use the transparent proxy (on a gateway) and/or magic-user feature: Listen 192.168.1.1 # IP of internal interface AllowTransProxy yes and (optionally) allow your users to specify the destination manually inside of the USER command (user[%host[:port]]): AllowMagicUser yes UseMagicChar % See also TransProxy-Mini-Howto.txt in the source on our ftp server ftp://ftp.suse.com/pub/projects/proxy-suite/src/ You have also to apply the patch file to the source! To restrict alowed clients, use compile the proxy with tcp-wrapper support, set "TCPWrapper yes" in the config file and define a list of allowed clients in /etc/hosts.allow, i.e.: # first match wins: ftp-proxy: 192.168.0.0/255.255.0.0 : ALLOW ftp-proxy: ALL : DENY See the hosts_access(5) and hosts_options(5) manual pages for more informations. Additionaly you can use a ip-filter rule to protect the proxy (i.e. ipchains on Linux). You may also set: SameAddress = yes PortResetsPasv = yes
Finally, is this proxy-suite basically abandoned ?
I do not understand what you are meaning.
Gruesse,
Marius Tomaschewski