Just in case anyone was interested but had no helpful information to hand...
I know it's bad form to answer one's own questions. ;)
> -----Original Message-----
> From: Ben Nagy [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 28 June 2000 11:51 AM
> To: '[EMAIL PROTECTED]'
> Subject: Transparent FTP proxies
>
>
> G'day,
>
> Does anyone have any experience with transparent FTP proxies?
A little.
> If they were
> to work with *BSD in bridge mode that would be even better.
Not quite.
> From my general
> looking around, I've discovered that ipnat already has an FTP
> proxy, but I'm
> not sure whether it is a full ALG.
It doesn't appear to be. From the testing I've done none of the sequence
numbers, windows or anything else are changed from one side of the proxy to
the other - this makes me dubious as to its merits as a proxy in anything
other than the "making the protocol work" sense.
> The next two that stick
> out are one of
> the hacked or unhacked versions of TIS ftp-gw or the SuSE
> Linux FTP Proxy.
I ended up using the SuSE ftp-proxy which is contained in the OpenBSD ports
collection. It seems okay so far but I haven't yet started stressing it in
earnest with "questionable" FTP commands etc.
>
> My vague intention is to run this as a two NIC box,
> preferably in bridge
> mode, and I'd eventually want to run an HTTP proxy (stripped
> down would be
> best, so Squid is not a leading candidate) as well.
Well, it's running fine as a two NIC box. I can turn off ip forwarding so I
guess it really is running as a proxy. If I like I can use NAT to redirect
connections to the local proxy port but this isn't really helpful in my
case.
I've also used ipf to block frags, options and other undesirables before
they get to the proxy which looks to be working.
Running two copies of the proxy in dual "outside" mode means that I can only
connect to one real FTP server on each side - this is a protocol limitation.
The FTP proxy itself does support a "smart user" mode where you can select
your host by using a different username. For my application I don't need
this and it also breaks the transparency model.
Running it in bridge mode isn't going to work as far as I can see - I still
think that it's theoretically possible but I'm not skillful enough to cut my
own code for something of that scale.
>
> Cheers,
>
> --
> Ben Nagy
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
