[squid-users] FTP proxy
Matus UHLAR - fantomas
uhlar at fantomas.sk
Mon Dec 7 09:05:39 UTC 2020
>On 12/6/20 10:26 AM, Andrea Venturoli wrote:
>> Is there a way to restrict the port range of the additional connections
>> (e.g. to 40000-50000)?
On 06.12.20 14:41, Alex Rousskov wrote:
>I do not know what connections you are talking about (there are at least
>four connections when it comes to a typical proxied FTP transaction).
>
>* If you are talking about source ports used by from-Squid TCP
>connections, then those are usually handled by your OS ephemeral ports
>setting (e.g., sysctl net.ipv4.ip_local_port_range).
I guess he means the opposite: local port range for passive connections
>* If you are talking about blocking FTP PORT/EPRT commands based on the
>ports requested by FTP clients, then, in theory, one should be able to
>block such requests using http_access ACLs targeting
>fake/internal/wrapping HTTP requests that represent the corresponding
>raw FTP command. However, I have not tested whether that works in
>practice, and I suspect that Squid does _not_ supply enough details for
>the http_access ACLs to work in this use case.
this should be used against https://en.wikipedia.org/wiki/FTP_bounce_attack
>Please note that, AFAICT, Squid code talking to FTP servers does not
>support PORT/EPRT commands, so Squid converts each received FTP
>PORT/EPRT command into a PASV command (wrapped in an HTTP request for
>Squid traversal). In that wrapping HTTP request, the FTP-Command header
>field value will be set to PASV, not PORT or EPRT.
this makes FTP easier to handle on squid.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
More information about the squid-users
mailing list