[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fully transparent ftp-proxy?

On Wed, Oct 30, 2002 at 08:41:12PM +0000, Roy Badami wrote:
> It seems to me that whilst it might require a minimal amount of kernel
> machinery to permit setup of the outgoing connection from the proxy,
> once established it is identical in nature to the incoming
> connection...
This could be solved with 'embryonic states', a separate list/tree of
state entries that lack certain parts (like source ports, which are
usually random and not known in advance). After the normal state lookup
(if it fails), but before the rule set evaluation, a matching embryonic
state would be completed and turn into a normal state.
Proxies could insert embryonic states instead of listening for incoming
connections, establishing connections and forwarding data between them.
Also, embryonic states could include all sorts of address/port
translations, so even connections established by the proxy (for instance
the ftp control connection) could appear to originate from the real
client address through a source address translation.
There are many ways proxies could use this feature, potentially making
the proxy code much shorter. But there are also security implications,
as a state entry bypasses all filter rules. But it's definitely something
I want to try. There are several problems to solve, like supporting
different kinds of incomplete states while keeping lookups efficient. If
they're solved, and the concept works and is safe, I guess ftp-proxy
could (optionally, if necessary) use that to become fully transparent.