Siju George wrote:
If you are running a firewall on OpenBSD with FTP proxy then it
listens behind the mothers skirt
You haven't thought about what is going on here and that it is quite a
different situation.
Do you also run apache, named, dhcpd, sendmail, dovecot/courier, etc,
etc.... only on the loopback? No? Why not? Because they use standard
ports as listed in /etc/services
proxy ftp-proxy 9695 3* internet stream tcp 0xd6b4a644 127.0.0.1:8021
and the man page says you should have the rule.
rdr pass on $int_if proto tcp from $lan to any port 21 -> \
127.0.0.1 port 8021
This redirects from a standard port to an unprivileged NON-STANDARD
port, which many ftp clients would never use as a proxy. It makes it
transparent to the client that they are using a proxy. As it is a
non-standard port and clients will never connect to, it is run on the
loopback. Does not make the daemon any more secure from buffer
overflows, etc, etc as the same packets come into it.
Squid listens on a high numbered unprivileged port by default, and runs
as an unprivileged user. It is also easy to run chroot as well.
3128 is a commonly used web proxy port.
pfSense developers changed listening squid to localhost and
redirecting from the internal interface allowed traffic.
Bully for them.
Use WPAD as it is designed to auto config browsers, or inform your users
how to manually use the proxy.
What is the point of hiding a web proxy by transparency from users in a
work environment? It is not their equipment, their time, and nor is it
their place to complain about how you run the network.
