Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] Transparent proxy ...
  • From: Nix <suse@xxxxxxxxxxxxxxx>
  • Date: Fri, 09 Feb 2001 09:27:33 +1100
  • Message-id: <>
At 10:31 PM 5/02/2001, you wrote:
Ftp will only work as ftp over http (e.g. the ftp your browser uses)

This is only partially correct. It is actually not possible to transparently
redirect ftp due to the number of ports it uses.
You can transparently proxy ftp, but not with squid.
The only transparent ftp proxy that currently works on Linux (that I know
of) is the one in the TIS Firewall Toolkit (
(This is the same one that is in gauntlet firewall on solaris)
TIS has a very restrictive liscence, basically you have to be an educational
institution, or you have to buy gauntlet.

You may wish to wait for SuSE 7.1 with kernel 2.4.x with all the netfilter and
iptables stuff as it is much more powerful. I had a long talk to Rusty and a
one of the other Linux firewall people at and Rusty is talking
about adding some transparent application level proxies to netfilter, but this probably
will not happen for 6 months. (Rusty is the guy who wrote IPCHAINS as well as
NETFILTER and IPTABLES and all the associated kernel bells and whistles)
I hope he does do this in the near future, as it will mean linux has something that
NO other OS does except Solaris with the addition of Gauntlet. (I have offered to
do the documentation of some of this stuff for him, so you can be sure that I'll let
you know when it happens :-)

So, to clarify, you CAN transparently redirect ftp over http by virtue that it is a http
stream, however the only way to make you browser do ftp over http instead of normal
ftp is to tell it that you have a proxy, which sorta defeats the purpose of transparent
redirection. Sorry to give you the bad news...
This is all in the squid doco if you feel like reading up on it more..


Nix - nix@xxxxxxxxxxxxxxxx

< Previous Next >