On Tue, Nov 15, 2005 at 08:24:23AM -0100, Markus Weber wrote:
Hello,
Hello!
Could i cascade the ftp-proxy so that i can install one in the internal net (where the users have to connect to) and one in the dmz. A problem there is, that we have an other dns-root in the internal net than in the dmz, so the hostname-lookups fails.
Since many years we use Squid for HTTP and for download FTP, but now i have to brak my brain about the ability of uploading FTP to hosts in the Internet. Have someone a sample of the config-files?
You can cascade the ftp-proxy in transparent proxy mode (see
TransProxy-Mini-Howto.txt) but this has a requirement, that
the proxy runs on a gateway (e.g. on intern<->dmz fw).
An other way, that may work for you, is to configure the internal
proxy to allways connect to the dmz proxy ("inbound" mode setup)
using:
DestinationAddress ip-of-dmz-ftp-proxy
and configure the dmz proxy to use magic user feature:
AllowMagicUser yes
# or
#ForceMagicUser yes
UserMagicChar %
TCPWrapperName ftp-proxy
This allows that a user can connect the internal proxy (that
forwards all requests to the dmz proxy) and specify the ftp
server destination in the username (USER command), e.g.:
ftp%ftp-server.domain.top
The dmz proxy will resolve the IP of ftp-server.domain.top
and connect to it.
! Note, that you have to protect the proxy in the DMZ !
You can use TCPWrapper (/etc/hosts.allow) and proper filter
rules on your firewalls to make sure, only your internal
network is able to connect the proxy in the dmz.
Everybody that is able to connect the dmz proxy can specify e.g.
ftp%