Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] Transparent proxy ...
  • From: Nix <suse@xxxxxxxxxxxxxxx>
  • Date: Fri, 09 Feb 2001 12:35:37 +1100
  • Message-id: <5.0.2.1.0.20010209122417.00a7e6b8@xxxxxxxxxxxxxxxxxxxx>
At 12:00 PM 9/02/2001, you wrote:
On Thursday 08 February 2001 20:27, you wrote:
> At 10:31 PM 5/02/2001, you wrote:
> >Ftp will only work as ftp over http (e.g. the ftp your browser uses)
>
> This is only partially correct. It is actually not possible to
> transparently redirect ftp due to the number of ports it uses.
This is only partially correct. You can't transparently redirect active ftp,
but I guess it's possible to do it with passive ftp, just with some PASV
tricks.
Take a look at suseproxysuite, it _almost_ implement it.

Nope.. I run SuSE proxy suite.. It doesn't do this AT ALL.
It is simply an ftp proxy. NOT a transparent one, although
they may be adding this in future, I'm not sure.

Transparent redirection is quite different to transparent proxying!!!
What you are suggesting with "some PASV tricks" would definately
NOT be a firewall rule but rather and application level proxy (like TIS)
in conjunction with packet filter rules..

TIS infact CAN transparently proxy active ftp. My last email was pointing
out that there is currently no way to do this on Linux without TIS which does
not have a viable license for most people.

> You can transparently proxy ftp, but not with squid.
> The only transparent ftp proxy that currently works on Linux (that I know
> of) is the one in the TIS Firewall Toolkit (http://www.tis.com)
> (This is the same one that is in gauntlet firewall on solaris)
> TIS has a very restrictive liscence, basically you have to be an
> educational institution, or you have to buy gauntlet.
>
> You may wish to wait for SuSE 7.1 with kernel 2.4.x with all the netfilter
> and iptables stuff as it is much more powerful. I had a long talk to Rusty
> and a one of the other Linux firewall people at http://linux.conf.au and
> Rusty is talking
> about adding some transparent application level proxies to netfilter, but
> this probably
> will not happen for 6 months. (Rusty is the guy who wrote IPCHAINS as well
> as NETFILTER and IPTABLES and all the associated kernel bells and whistles)
> I hope he does do this in the near future, as it will mean linux has
> something that
> NO other OS does except Solaris with the addition of Gauntlet. (I have
> offered to
> do the documentation of some of this stuff for him, so you can be sure that
> I'll let
> you know when it happens :-)
>
> So, to clarify, you CAN transparently redirect ftp over http by virtue that
> it is a http
> stream, however the only way to make you browser do ftp over http instead
> of normal
> ftp is to tell it that you have a proxy, which sorta defeats the purpose of
> transparent
> redirection. Sorry to give you the bad news...
> This is all in the squid doco if you feel like reading up on it more..
>
> Cheers
>
>
> ---
> Nix - nix@xxxxxxxxxxxxxxxx
> http://www.susesecurity.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

---
Nix - nix@xxxxxxxxxxxxxxxx
http://www.susesecurity.com


< Previous Next >
Follow Ups