[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fully transparent ftp-proxy?



> Is this correct, and if so, are there any plans to enhance it to be
> fully transparent?  Without a fully transparent proxy, the logs on an
> ftp server behind an openbsd firewall would be rendered useless.
The proxy is not intended for an ftp SERVER behind the firewall. It is
intended for FTP clients behind the firewall.
> It seems to me that whilst it might require a minimal amount of kernel
> machinery to permit setup of the outgoing connection from the proxy,
> once established it is identical in nature to the incoming
> connection...
Minimal? Not even close. It requires the kernel to fully emulate TCP
based on the information in the IP datagrams it is seeing. This is
almost assuredly impossible to do correctly, and is the basis for just
about every "open an arbitrary connection" attack on stateful
firewalls that I can think of.
so, no. There are no plans. Dangerous proxies like this one belong in
userland, period.
-kj