Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] Transparent proxy ...
On Thursday 08 February 2001 23:35, Nix wrote:
> At 12:00 PM 9/02/2001, you wrote:
> >On Thursday 08 February 2001 20:27, you wrote:
> > > At 10:31 PM 5/02/2001, you wrote:
> > > >Ftp will only work as ftp over http (e.g. the ftp your browser uses)
> > >
> > > This is only partially correct. It is actually not possible to
> > > transparently redirect ftp due to the number of ports it uses.
> >
> >This is only partially correct. You can't transparently redirect active
> > ftp, but I guess it's possible to do it with passive ftp, just with some
> > PASV tricks.
> >Take a look at suseproxysuite, it _almost_ implement it.
>
> Nope.. I run SuSE proxy suite.. It doesn't do this AT ALL.
> It is simply an ftp proxy. NOT a transparent one, although
> they may be adding this in future, I'm not sure.
>

Well, I run SuSE proxy suite 1.7 and if you take a look at the file
TRANSPARENT_PROXY.txt with the docs you'll see that it's possible, but it's
unstable code.
You can also take a look at mmtcpfw, a ftp proxy/tcp redirector

> Transparent redirection is quite different to transparent proxying!!!
> What you are suggesting with "some PASV tricks" would definately
> NOT be a firewall rule but rather and application level proxy (like TIS)
> in conjunction with packet filter rules..

OK, I really misunderstood when you said transparent redirection. SuSE Proxy
Suite and TIS are application level + some ip level redirection.

Passive ftp use predictables ports so you can redirect it. But you must
intercept PORT/PASV, LPRT/LPSV and EPRT/EPSV and rewrite accordingly.
I know it's application level, but so is mod_masq_ftp.
This is the PASV trick I was talking about.
AFAIK, except for some terminology (proxy, redirection, ip, application),
it's possible to redirect passive ftp traffic this way.

[]s
Davi

>

> TIS infact CAN transparently proxy active ftp. My last email was pointing
> out that there is currently no way to do this on Linux without TIS which
> does not have a viable license for most people.
>
> > > You can transparently proxy ftp, but not with squid.
> > > The only transparent ftp proxy that currently works on Linux (that I
> > > know of) is the one in the TIS Firewall Toolkit (http://www.tis.com)
> > > (This is the same one that is in gauntlet firewall on solaris) TIS has
> > > a very restrictive liscence, basically you have to be an educational
> > > institution, or you have to buy gauntlet.
> > >
> > > You may wish to wait for SuSE 7.1 with kernel 2.4.x with all the
> > > netfilter and iptables stuff as it is much more powerful. I had a long
> > > talk to Rusty and a one of the other Linux firewall people at
> > > http://linux.conf.au and Rusty is talking
> > > about adding some transparent application level proxies to netfilter,
> > > but this probably
> > > will not happen for 6 months. (Rusty is the guy who wrote IPCHAINS as
> > > well as NETFILTER and IPTABLES and all the associated kernel bells and
> > > whistles) I hope he does do this in the near future, as it will mean
> > > linux has something that
> > > NO other OS does except Solaris with the addition of Gauntlet. (I have
> > > offered to
> > > do the documentation of some of this stuff for him, so you can be sure
> > > that I'll let
> > > you know when it happens :-)
> > >
> > > So, to clarify, you CAN transparently redirect ftp over http by virtue
> > > that it is a http
> > > stream, however the only way to make you browser do ftp over http
> > > instead of normal
> > > ftp is to tell it that you have a proxy, which sorta defeats the
> > > purpose of transparent
> > > redirection. Sorry to give you the bad news...
> > > This is all in the squid doco if you feel like reading up on it more..
> > >
> > > Cheers
> > >
> > >
> > > ---
> > > Nix - nix@xxxxxxxxxxxxxxxx
> > > http://www.susesecurity.com
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> > > For additional commands, e-mail: suse-security-help@xxxxxxxx
>
> ---
> Nix - nix@xxxxxxxxxxxxxxxx
> http://www.susesecurity.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >
Follow Ups
References