[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ftp-proxy transparency



> On Sun, Dec 08, 2002 at 12:21:36AM +0600, Michael O. Boev wrote:
>
> > I have a SQUID proxy inside my network and I want it to make active
> > FTP-connections to the world (instead of, default, passive). And SQUID
> > refuses to accept the data connection from the ftp-proxy process,
stating
> > that the connection comes from an unexpected address (from the proxying
> > machine, but not the target server). And it's not without reason, IMHO.
>
> To make ftp-proxy transparent like that, the data connections would have
> to appear to come from the external ftp server. So pf would have to
> translate the source address of the data connection from ftp-proxy to
> the ftp client (squid, in your case).
>
> For that, ftp-proxy would have to either insert and remove a temporary
> nat rule on the internal interface for each data connection, or use
> something like 'embryionic states' (search the list archive for a
> discussion of that). Neither is currently implemented.
Oh, yeah, temporary nat rules should solve the issue, I suppose.
Is the new "anchor" feature of PF intended for these types of rules, isn't
it?
>
> But you can relax squid's checking of the source address of active data
> connections, using the 'ftp_sanitycheck' configuration option:
>
>   ftp_sanitycheck, default: on
Great! This seems instant workaround. This option must be a very recent one,
since it didn't appear in my squid.conf, only in squid.conf.default. ))
Thanks for help,
Mike.