<div dir="ltr"><div><div><div><div>Finally I've managed to go on <a href="http://ftp.intel.com" target="_blank">ftp.intel.com</a> using FileZilla through my squid gateway in standart (proxy) mode.<br><br></div><div>Squid conf:<br></div><div></div><div>ftp_port x.x.x.x 2122<br><br></div><div>Then I try to block FTP-Command and nothing happen. Some from my config:<br><br></div><div>acl rh req_header -i ^FTP-Command</div>http_access deny rh<br></div>http_access permit all<br></div><br>And also add following: <br><br>request_header_access "FTP-Command: LIST" deny all<br><br><br></div>Connect and browsing of remote <a href="http://ftp.intel.com" target="_blank">ftp.intel.com</a> is OK - nothing blocked.<br><div><br><div>In squid log i see (fragment):<br><br><br></div><div>2016/10/04 15:23:04.177 kid1| 9,2| FtpServer.cc(495) writeReply: FTP Client REPLY:<br>---------<br>227 Entering Passive Mode (192,168,33,254,230,30).<br><br>----------<br>2016/10/04 15:23:04.177 kid1| 20,2| store.cc(949) checkCachable: StoreEntry::checkCachable: NO: not cachable<br>2016/10/04 15:23:04.177 kid1| 20,2| store.cc(949) checkCachable: StoreEntry::checkCachable: NO: not cachable<br>2016/10/04 15:23:04.178 kid1| 33,2| FtpServer.cc(699) parseOneRequest: >>ftp LIST<br>2016/10/04 15:23:04.178 kid1| 9,2| FtpServer.cc(1320) handleRequest: FTP Client local=<a href="http://192.168.33.254:2122">192.168.33.254:2122</a> remote=<a href="http://192.168.33.10:60838">192.168.33.10:60838</a> FD 9 flags=1<br>2016/10/04 15:23:04.178 kid1| 9,2| FtpServer.cc(1322) handleRequest: FTP Client REQUEST:<br>---------<br>GET / HTTP/1.1<br>FTP-Command: LIST<br>FTP-Arguments: <br><br>----------<br>2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET <a href="ftp://ftp.intel.com/">ftp://ftp.intel.com/</a> is ALLOWED; last ACL checked: net33<br>2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(720) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW<br>2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET <a href="ftp://ftp.intel.com/">ftp://ftp.intel.com/</a> is ALLOWED; last ACL checked: net33<br>2016/10/04 15:23:04.178 kid1| 17,2| FwdState.cc(133) FwdState: Forwarding client request local=<a href="http://192.168.33.254:2122">192.168.33.254:2122</a> remote=<a href="http://192.168.33.10:60838">192.168.33.10:60838</a> FD 9 flags=1, url=<a href="ftp://ftp.intel.com/">ftp://ftp.intel.com/</a><br>2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: <a href="ftp://ftp.intel.com/">ftp://ftp.intel.com/</a>' via <a href="http://ftp.intel.com">ftp.intel.com</a><br>2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: <a href="ftp://ftp.intel.com/">ftp://ftp.intel.com/</a>' via <a href="http://ftp.intel.com">ftp.intel.com</a><br>2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(280) peerSelectDnsPaths: Found sources for '<a href="ftp://ftp.intel.com/">ftp://ftp.intel.com/</a>'<br><br><div><div><div><br></div><div><div><br></div><div>But I need to block FTP-Command: LIST (for example)<br></div><div><br><div class="gmail_extra"><br><div class="gmail_quote">2016-10-03 20:34 GMT+03:00 Alex Rousskov <span dir="ltr"><<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.<wbr>com</a>></span>:<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">Please ask these questions on squid-users...<br>
<span><br>
On 10/03/2016 05:51 AM, oleg gv wrote:<br>
> Thanks, but problems still exist - FTP doesn't work through proxy.<br>
><br>
> 1. I've set in proxy<br>
</span>> ftp_port <a rel="noreferrer" href="http://192.168.0.1:2121" target="_blank">192.168.0.1:2121</a> <<a rel="noreferrer" href="http://192.168.0.1:2121" target="_blank">http://192.168.0.1:2121</a>><br>
<span>> 2. set in client browser to use proxy for FTP on <a rel="noreferrer" href="http://192.168.0.1:2121" target="_blank">192.168.0.1:2121</a><br>
</span>> <<a rel="noreferrer" href="http://192.168.0.1:2121" target="_blank">http://192.168.0.1:2121</a>><br>
<span>><br>
> Trying to go <a rel="noreferrer" href="ftp://ftp.intel.com" target="_blank">ftp://ftp.intel.com</a> and In log of squid i see:<br>
><br>
> FTP Client REPLY:<br>
> ---------<br>
> 530 Must login first<br>
><br>
> ####<br>
><br>
> Another variant: setup inerception ftp_proxy (with nat redirect) - and<br>
> it also doesn'nt work: last commands in log:<br>
> 2016/10/03 14:43:09.929 kid1| 9,2| FtpRelay.cc(733)<br>
> dataChannelConnected: connected FTP server data channel:<br>
> local=8x.xxx.xxx.xxx:41231 remote=<a rel="noreferrer" href="http://192.198.164.82:36034" target="_blank">192.198.164.82:36034</a><br>
</span>> <<a rel="noreferrer" href="http://192.198.164.82:36034" target="_blank">http://192.198.164.82:36034</a>> FD 19 flags=1<br>
<span>> 2016/10/03 14:43:09.929 kid1| 9,2| FtpClient.cc(791) writeCommand: ftp<<<br>
> LIST<br>
><br>
> 2016/10/03 14:43:10.125 kid1| 9,2| FtpClient.cc(1108) parseControlReply:<br>
> ftp>> 125 Data connection already open; Transfer starting.<br>
><br>
> And ftp.intel com is hang, trying to open..<br>
><br>
><br>
><br>
><br>
><br>
> 2016-10-01 2:12 GMT+03:00 Alex Rousskov<br>
> <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.<wbr>com</a><br>
</span>> <mailto:<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-f<wbr>actory.com</a>>>:<br>
<div class="gmail-m_6503794103847508117gmail-m_6042727669406171417HOEnZb"><div class="gmail-m_6503794103847508117gmail-m_6042727669406171417h5">><br>
> On 09/30/2016 10:42 AM, oleg gv wrote:<br>
><br>
> > Hello, I've found that NativeFtpRelay appeared in squid 3.5 . Is it<br>
> > possible to apply http-access acl for FTP proto concerning filtering of<br>
> > FTP methods(commands)<br>
><br>
> Yes, it should be possible.<br>
><br>
><br>
> > by analogy of HTTP methods ?<br>
><br>
> Not quite. IIRC, when the HTTP message representing the FTP transaction<br>
> is relayed through Squid, the FTP command name is _not_ stored as an<br>
> HTTP method. The FTP command name is stored as HTTP "FTP-Command" header<br>
> value. See <a rel="noreferrer" href="http://wiki.squid-cache.org/Features/FtpRelay" target="_blank">http://wiki.squid-cache.org/Fe<wbr>atures/FtpRelay</a><br>
> <<a rel="noreferrer" href="http://wiki.squid-cache.org/Features/FtpRelay" target="_blank">http://wiki.squid-cache.org/<wbr>Features/FtpRelay</a>><br>
><br>
> You should be able to block FTP commands using a req_header ACL.<br>
><br>
><br>
> > what other possibilities in squid exist to do this ?<br>
><br>
> An ICAP or eCAP service can also filter relayed FTP messages.<br>
><br>
> Alex.<br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div></div></div></div></div></div></div></div>