On Sun, Dec 08, 2002 at 12:21:36AM +0600, Michael O. Boev wrote: > I have a SQUID proxy inside my network and I want it to make active > FTP-connections to the world (instead of, default, passive). And SQUID > refuses to accept the data connection from the ftp-proxy process, stating > that the connection comes from an unexpected address (from the proxying > machine, but not the target server). And it's not without reason, IMHO.
To make ftp-proxy transparent like that, the data connections would have to appear to come from the external ftp server. So pf would have to translate the source address of the data connection from ftp-proxy to the ftp client (squid, in your case). For that, ftp-proxy would have to either insert and remove a temporary nat rule on the internal interface for each data connection, or use something like 'embryionic states' (search the list archive for a discussion of that). Neither is currently implemented. But you can relax squid's checking of the source address of active data connections, using the 'ftp_sanitycheck' configuration option: ftp_sanitycheck, default: on For security and data integrity reasons Squid by default performs sanity checks of the addresses of FTP data connections ensure the data connection is to the requested server. If you need to allow FTP connections to servers using another IP address for the data connection then turn this off. Assuming that the firewall prevents external hosts from connecting to the squid box directly (not through ftp-proxy), I'd say it's safe to turn that check off. You could also patch the check to allow connections from either the expected server or the ftp-proxy address (src/ftp.c, grep for sanitycheck). Daniel
