On Sun, Oct 22, 2000 at 07:04:51PM -0700, Volker Wiegand wrote:
Hi,
Hi!
I am currently a little bit overloaded, but I believe Marius can help you find the answer. Marius, would you be so kind as to answer Simon?
Kind regards Volker
On Fri, 13 Oct 2000 STCassling@somerset.gov.uk wrote:
Hello Volker,
I realise you probably get many e-mail's but if you get them time to reply I would greatly appreciate it. The requirement we have is to proxy internal FTP clients to the Internet (where we can therefore control what sites they can FTP to).
I plan to implement a direct support of destination control, but at the moment it is not supported by the proxy itself.
I have tried to configure the ftp-proxy software but am currently getting the following error "TECH-ERR can't get peername for socket 0" - I have
I need more info to say anything about, i.e. the config file, log / debug output.
looked through the proxy-suite archive lists and although the question has been raised before there appears to be no answer, I have also noticed in the lists reference to a file "TRANSPARENT_PROXY.txt" but
The transparent proxy version is not "official" at the moment.
You can get it from:
http://www.suse.de/~mt/proxy-suite/
5894d4c80888bcfa4cb2e345676dc69e fwproxy-1.7tp3-0.i386.rpm
3522e255e0d8bf5f106def52246d0c49 fwproxy-1.7tp3-0.src.rpm
With this "transparent-version" you cann control the destinations
with ipchains. You simply redirect allowed destinations to the
proxy and deny all other...
For example, if your local network is 192.168.1.0/24 and the proxy
(= gateway) with the ftp-proxy is 192.168.1.254 you can do something
like that (a shell script):
allow_dest="/etc/proxy-suite/allowed-destinations"
LOCALNET="192.168.1.0/24"
LOCAL_IP="192.168.1.254"
LOG="-l"
ipchains -A input -s $LOCALNET -d $LOCAL_IP 21 -j REJECT $LOG
ipchains -A input -s ! $LOCALNET -d $LOCAL_IP 21 -j DENY $LOG
if test -f "$allow_dest" ; then
while read xdest xport ; do
dest=${xdest%%\#*}
port=${xport%%\#*}
test -z "$dest" && continue
test -z "$port" && port=21
ipchains -A input -s $LOCALNET -d $dest $port -j REDIRECT 21 $LOG
done < "$allow_dest"
else
echo "can not read file $allow_dest" 1>&2
fi
ipchains -A input -s $LOCALNET -d 0/0 21 -j REJECT $LOG
ipchains -A input -s ! $LOCALNET -d 0/0 21 -j DENY $LOG
In /etc/proxy-suite/allowed-destinations you enter all ip's
(and optional also the port) your users can connect to via
the proxy:
#
#
there is no copy of that on my installation (version 7 with the latest rpm update for ftp-proxy) - although I have found a version in German on the web, which leads me on to my second question - am I using the right tool for what I am trying to achieve or should I be using some sort of ipchains/masquerading set-up etc. Please be aware I am not a Unix/Linux expert but am a keen amateur trying to push Linux where possible/safe into our work environment to gain greater acceptance of the platform.
Many thanks for you time - again, any help or pointers would be greatly appreciated.
Regards, Simon Cassling
-- Freundschaftlich / With kind regards Volker
-- Volker Wiegand Voice: +1-510-628-3380 ext 5029 SuSE Inc. Fax: +1-510-628-3381 580 Second Street, Suite 210 Mobile: +1-510-333-9248 Oakland, CA 94607 USA E-Mail: wiegand@suse.com
--
Gruesse,
Marius Tomaschewski
participants (1)
-
Marius Tomaschewski