[squid-users] Squid-3.5.21: filter FTP content or FTP commands

oleg gv oagvozd at gmail.com
Tue Oct 4 12:24:58 UTC 2016 

Finally I've managed to go on ftp.intel.com using FileZilla through my
squid gateway in standart (proxy) mode.

Squid conf:
ftp_port  x.x.x.x  2122

Then I try to block FTP-Command and nothing happen. Some from my config:

acl rh req_header -i ^FTP-Command
http_access deny rh
http_access permit all

And also add following:

request_header_access  "FTP-Command: LIST" deny all


Connect and browsing of remote ftp.intel.com is  OK - nothing blocked.

In squid log i see (fragment):


2016/10/04 15:23:04.177 kid1| 9,2| FtpServer.cc(495) writeReply: FTP Client
REPLY:
---------
227 Entering Passive Mode (192,168,33,254,230,30).

----------
2016/10/04 15:23:04.177 kid1| 20,2| store.cc(949) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2016/10/04 15:23:04.177 kid1| 20,2| store.cc(949) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2016/10/04 15:23:04.178 kid1| 33,2| FtpServer.cc(699) parseOneRequest:
>>ftp LIST
2016/10/04 15:23:04.178 kid1| 9,2| FtpServer.cc(1320) handleRequest: FTP
Client local=192.168.33.254:2122 remote=192.168.33.10:60838 FD 9 flags=1
2016/10/04 15:23:04.178 kid1| 9,2| FtpServer.cc(1322) handleRequest: FTP
Client REQUEST:
---------
GET / HTTP/1.1
FTP-Command: LIST
FTP-Arguments:

----------
2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(744)
clientAccessCheckDone: The request GET ftp://ftp.intel.com/ is ALLOWED;
last ACL checked: net33
2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(720)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(744)
clientAccessCheckDone: The request GET ftp://ftp.intel.com/ is ALLOWED;
last ACL checked: net33
2016/10/04 15:23:04.178 kid1| 17,2| FwdState.cc(133) FwdState: Forwarding
client request local=192.168.33.254:2122 remote=192.168.33.10:60838 FD 9
flags=1, url=ftp://ftp.intel.com/
2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths:
Find IP destination for: ftp://ftp.intel.com/' via ftp.intel.com
2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths:
Find IP destination for: ftp://ftp.intel.com/' via ftp.intel.com
2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(280) peerSelectDnsPaths:
Found sources for 'ftp://ftp.intel.com/'



But I need to block FTP-Command: LIST (for example)


2016-10-03 20:34 GMT+03:00 Alex Rousskov <rousskov at measurement-factory.com>:

> Please ask these questions on squid-users...
>
> On 10/03/2016 05:51 AM, oleg gv wrote:
> > Thanks, but problems still exist - FTP doesn't work through proxy.
> >
> > 1. I've set in proxy
> >     ftp_port 192.168.0.1:2121 <http://192.168.0.1:2121>
> > 2. set in client browser to use proxy for FTP on 192.168.0.1:2121
> > <http://192.168.0.1:2121>
> >
> > Trying to go ftp://ftp.intel.com  and In log of squid i see:
> >
> > FTP Client REPLY:
> > ---------
> > 530 Must login first
> >
> > ####
> >
> > Another variant: setup inerception ftp_proxy (with nat redirect) - and
> > it also doesn'nt work: last commands in log:
> > 2016/10/03 14:43:09.929 kid1| 9,2| FtpRelay.cc(733)
> > dataChannelConnected: connected FTP server data channel:
> > local=8x.xxx.xxx.xxx:41231 remote=192.198.164.82:36034
> > <http://192.198.164.82:36034> FD 19 flags=1
> > 2016/10/03 14:43:09.929 kid1| 9,2| FtpClient.cc(791) writeCommand: ftp<<
> > LIST
> >
> > 2016/10/03 14:43:10.125 kid1| 9,2| FtpClient.cc(1108) parseControlReply:
> > ftp>> 125 Data connection already open; Transfer starting.
> >
> > And ftp.intel com is hang, trying to open..
> >
> >
> >
> >
> >
> > 2016-10-01 2:12 GMT+03:00 Alex Rousskov
> > <rousskov at measurement-factory.com
> > <mailto:rousskov at measurement-factory.com>>:
> >
> >     On 09/30/2016 10:42 AM, oleg gv wrote:
> >
> >     > Hello, I've found that NativeFtpRelay appeared in squid 3.5 . Is it
> >     > possible to apply http-access acl for FTP proto concerning
> filtering of
> >     > FTP methods(commands)
> >
> >     Yes, it should be possible.
> >
> >
> >     > by analogy of HTTP methods ?
> >
> >     Not quite. IIRC, when the HTTP message representing the FTP
> transaction
> >     is relayed through Squid, the FTP command name is _not_ stored as an
> >     HTTP method. The FTP command name is stored as HTTP "FTP-Command"
> header
> >     value. See http://wiki.squid-cache.org/Features/FtpRelay
> >     <http://wiki.squid-cache.org/Features/FtpRelay>
> >
> >     You should be able to block FTP commands using a req_header ACL.
> >
> >
> >     > what other possibilities in squid exist to do this ?
> >
> >     An ICAP or eCAP service can also filter relayed FTP messages.
> >
> >     Alex.
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161004/5e875b3d/attachment-0001.html>

More information about the squid-users mailing list