[squid-users] FTP : Squid sending private IP in PASV response

Garri Djavadyan garryd at comnet.uz
Fri Oct 21 09:02:04 UTC 2016


On Fri, 2016-10-21 at 08:27 +0000, Gael Ancelin wrote:
> WAN_IP---[FW]-------localIP1-[SQUID]-localIP2------------localIP3-
> [FTP_Server]
> 
> I was expecting something like "227 Entering Passive Mode
> (54,xx,xx,xx,213,249)." 
> with public ip.
> What I want is a response like (WAN_IP,port), but what I obtain is 
> (localIP1,port) instead.
> 
> Squid does not respond with the FTP server address, so I presume that
> Squid is
> understanding enough FTP protocol to modify response and put his own
> ip address
> instead of the real FTP server's.

According to your scheme, FW is DNAT device and it forwards packets
destined to FTP control channel port (21) on public IP of FW to private
localIP1 of SQUID. In that scenario Squid don't even know that the
client used WAN_IP to access FTP service and therefore it can't use the
public IP even if it wish.


> So I'm wondering if it exists a way to force squid to respond with a
> fixed IP > address instead of his own local address.

Here http://www.squid-cache.org/Doc/config/ you can find all available
options.


More information about the squid-users mailing list