Re: [proxy-suite] Re: Question about proxy-suite configuration.

Hi there! I've got some more questions, after having messed around with the proxy some more and read what you said, Marius. And, what you said makes sense... On Thu, 14 Jun 2001, Marius Tomaschewski wrote:

On Thu, Jun 14, 2001 at 10:30:56AM -0700, Louis W. Erickson wrote:

...

On Wed, 13 Jun 2001 13:11:28 +0200, Marius Tomaschewski wrote:

...

Hi!

[snip]

The version from ftp://ftp.suse.com/pub/projects/proxy-suite/src/ ?

-rw-r--r-- 1 suse suse 1505 Jun 7 07:18 CHANGES.mt -rw-r--r-- 1 suse suse 491 Jun 7 07:18 build-freebsd4.sh -rw-r--r-- 1 suse suse 789 Jun 7 07:18 build-solaris7.sh -rw-r--r-- 1 suse suse 81749 Jun 7 07:18 proxy-suite-1.7.dif -rw-r--r-- 1 suse suse 170793 Jun 7 07:18 proxy-suite-1.7.tar.gz

Yes, that is the one I'm using.

...

I don't think I need TranslateAddress. The proxy should be the one who talks to each side, and it is running on the firewall, which can get to both internal and external address directly.

No, I was only confused by something :-)

It's easy to get confused when talking about proxies and clients and servers. =). I may need TranslateAddress after all; I don't know yet. [snip]

...

= Louis Erickson = Marius Tomaschewski

...

The FTP server has a data connection to the proxy. The proxy should now make a data connection to the client. This is from the debug logs:

09:47:40 < 348> try to con-bind Cli-Data to 192.168.0.250:20 09:48:54 < 348> TECH-ERR can't connect Cli-Data for 158.252.208.8 (errno=60 [Connection timed out])

Now, it looks like it's trying to bind the client data port to 192.168.0.250:20.

In ftp-client.c, in the function client_xfer_fireup(), it seems to make the connection for the active FTP connection. It calls societ_d_connect with ctx.cli_addr and ctx.cli_port again.

The debug output says this is 192.168.0.250, port 20. Why is it not the client address/port of 158.252.208.8:1577 that was stored in the PORT command above?

192.168.0.250 is the proxy-server's own IP address.

It _binds_ to post 20 in active mode and uses this bound socket to _connect_ to the client (as set in PORT command).

Your client will get a connect from proxy, port 20 to the port the client has set in its port command. this seems to be not possible, so it times out (bind 09:47:40, error 09:48:54).

You firewall should allow connections from proxy, port 20 ===> client, port > 1024

Or you can set the active port range to other ports (or 0 to use a dynamic port).

...

Have I misunderstood? In active FTP, a PORT command from the client tells the server to connect to the client, who listens. The proxy needs to connect back to the client. Instead, it appears to be trying to connect to it's self.

no, it only binds the socket before connect so the client gets a connect from proxy, port 20.

Okay. What I was misreading is the bind call as the connect call, and you're exactly right. I added a little more output to my copy here, and the bind works perfectly. It's the connection that fails, and I think I know why. What to do about it, I don't know. Let me explain, and maybe you have an answer, or can tell me where I've missed something. What confused me above is the binding to 192.168.0.250; the IP of the firewall. The proxy binds to that port, and then tries to connect to the client. However, the NIC at 192.168.0.250 can't connect to outside clients. The firewall has several interfaces. The 192.168.0.250 interface dosen't route to that network; another, with the IP address 63.205.237.162 does. So, for the proxy to listen and be accessible to the client for passive mode, or to connect to the client, it needs to bind to the other interface. (Well, one of the other interfaces. There are several.) Checking with netstat shows that anything talking to the 192.168.x.x addresses has to use the 192.168.0.250 address, and anything talking to the outside world has to use the 63.205.237.162 address. I tried the Listen option in the configuration file, which didn't change what port the proxy bound to to connect out from. Is there a way to get the proxy to bind to one interface for the server, and another for the client? Or, have I missed something else? Thank you again for all the help. I've sent you several complex messages, and you've taken the time to answer them with enough detail to help me continue to work on this problem. Not every mailing list or author is so helpful, and I very much appreciate it. -- Louis Erickson - wwonko@rdwarf.com - http://www.rdwarf.com/~wwonko/ Help a swallow land at Capistrano.