> On Sun, Dec 08, 2002 at 12:21:36AM +0600, Michael O. Boev wrote: > > > I have a SQUID proxy inside my network and I want it to make active > > FTP-connections to the world (instead of, default, passive). And SQUID > > refuses to accept the data connection from the ftp-proxy process, stating > > that the connection comes from an unexpected address (from the proxying > > machine, but not the target server). And it's not without reason, IMHO. > > To make ftp-proxy transparent like that, the data connections would have > to appear to come from the external ftp server. So pf would have to > translate the source address of the data connection from ftp-proxy to > the ftp client (squid, in your case). > > For that, ftp-proxy would have to either insert and remove a temporary > nat rule on the internal interface for each data connection, or use > something like 'embryionic states' (search the list archive for a > discussion of that). Neither is currently implemented. Oh, yeah, temporary nat rules should solve the issue, I suppose. Is the new "anchor" feature of PF intended for these types of rules, isn't it? > > But you can relax squid's checking of the source address of active data > connections, using the 'ftp_sanitycheck' configuration option: > > ftp_sanitycheck, default: on Great! This seems instant workaround. This option must be a very recent one, since it didn't appear in my squid.conf, only in squid.conf.default. ))
Thanks for help, Mike.
