Apologies for the cross post from another list, but thought some sluggers might be interested in this. Thanks to this guy and the guys at Suse we can do transparent proxying of ftp traffic. Even block allowed ftp connections. I have tried this software and it works quite well. I haven't tried the transparent proxy bit. dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 24 October 2000 1:49 AM To: [EMAIL PROTECTED] Cc: Volker Wiegand; [EMAIL PROTECTED] Subject: [proxy-suite] Re: ftp-proxy On Sun, Oct 22, 2000 at 07:04:51PM -0700, Volker Wiegand wrote: > Hi, Hi! > I am currently a little bit overloaded, but I believe Marius can > help you find the answer. Marius, would you be so kind as to > answer Simon? > > Kind regards > Volker > > > > On Fri, 13 Oct 2000 [EMAIL PROTECTED] wrote: > > > Hello Volker, > > > I realise you probably get many e-mail's but if you get them > > time to reply I would greatly appreciate it. The requirement we have > > is to proxy internal FTP clients to the Internet (where we can > > therefore control what sites they can FTP to). I plan to implement a direct support of destination control, but at the moment it is not supported by the proxy itself. > > I have tried to > > configure the ftp-proxy software but am currently getting the > > following error "TECH-ERR can't get peername for socket 0" - I have I need more info to say anything about, i.e. the config file, log / debug output. > > looked through the proxy-suite archive lists and although the question > > has been raised before there appears to be no answer, I have also > > noticed in the lists reference to a file "TRANSPARENT_PROXY.txt" but The transparent proxy version is not "official" at the moment. You can get it from: http://www.suse.de/~mt/proxy-suite/ 5894d4c80888bcfa4cb2e345676dc69e fwproxy-1.7tp3-0.i386.rpm 3522e255e0d8bf5f106def52246d0c49 fwproxy-1.7tp3-0.src.rpm With this "transparent-version" you cann control the destinations with ipchains. You simply redirect allowed destinations to the proxy and deny all other... For example, if your local network is 192.168.1.0/24 and the proxy (= gateway) with the ftp-proxy is 192.168.1.254 you can do something like that (a shell script): allow_dest="/etc/proxy-suite/allowed-destinations" LOCALNET="192.168.1.0/24" LOCAL_IP="192.168.1.254" LOG="-l" ipchains -A input -s $LOCALNET -d $LOCAL_IP 21 -j REJECT $LOG ipchains -A input -s ! $LOCALNET -d $LOCAL_IP 21 -j DENY $LOG if test -f "$allow_dest" ; then while read xdest xport ; do dest=${xdest%%\#*} port=${xport%%\#*} test -z "$dest" && continue test -z "$port" && port=21 ipchains -A input -s $LOCALNET -d $dest $port -j REDIRECT 21 $LOG done < "$allow_dest" else echo "can not read file $allow_dest" 1>&2 fi ipchains -A input -s $LOCALNET -d 0/0 21 -j REJECT $LOG ipchains -A input -s ! $LOCALNET -d 0/0 21 -j DENY $LOG In /etc/proxy-suite/allowed-destinations you enter all ip's (and optional also the port) your users can connect to via the proxy: # # <ip-number/hostname> [port] # ftp.suse.com ftp.suse.de 21 you may also set "AllowMagicUser no" in the proxy configuration so the user can't override the destination... > > there is no copy of that on my installation (version 7 with the latest > > rpm update for ftp-proxy) - although I have found a version in German > > on the web, which leads me on to my second question - am I using the > > right tool for what I am trying to achieve or should I be using some > > sort of ipchains/masquerading set-up etc. Please be aware I am not a > > Unix/Linux expert but am a keen amateur trying to push Linux where > > possible/safe into our work environment to gain greater acceptance of > > the platform. > > > > Many thanks for you time - again, any help or pointers would be > > greatly appreciated. > > > > Regards, > > Simon Cassling > > > > > > -- > Freundschaftlich / With kind regards > Volker > > -- > Volker Wiegand Voice: +1-510-628-3380 ext 5029 > SuSE Inc. Fax: +1-510-628-3381 > 580 Second Street, Suite 210 Mobile: +1-510-333-9248 > Oakland, CA 94607 USA E-Mail: [EMAIL PROTECTED] > > -- Gruesse, Marius Tomaschewski <[EMAIL PROTECTED]> -- SuSE GmbH, Hamburg --- SuSE Labs, Product Developement PGP public key available: http://www.suse.de/~mt/mt.pgp Fprint: EA 1F 92 75 1A F9 82 07 A1 28 DE 7A 32 E8 97 18 -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug
