Seeking CERN proxy filter

Seeking CERN proxy filter

Post by Terry Glie » Wed, 12 Jul 1995 04:00:00



Has anyone developed modifications to the CERN server to filter which
destination URLs the server would proxy for?  I have a special situation
where it is desirable to prevent users (who use proxy) from going to
certain sites. Anyone ever do something like this?

Thanks in advance.
--
===================================================================

 Communicating for America Network Services    http://www.cfa.org/

 
 
 

1. CERN proxy and packet filters question


: Hi,

: I have the CERN HTTPD proxy server running behind a packet filtering
: router.  The proxy handles HTTP requests fine, but it doesn't like
: FTP requests.  I made sure the router allows incoming TCP packets with
: source = 80 and destination >= 1024.  Similarly,the router allows incoming
: packets with source = 21 and destination >= 1024.

: Strangely enough, using the shell on the proxy host, I can ftp outside.
: But HTTPD can't seem to do the same.  Running HTTPD in debug
: mode shows that it wants to receive from ports other than 21
: (generally above 1023).  In fact, if I allow more TCP packets through,
: everything works..  Is this correct?  I always thought FTP servers
: only listen to port 21.  Any suggestions for configurating a packet
: filter to enable ftp via the CERN proxy (while remaining secure)?

I believe this is related to the same problem some ftp clients have
with packet filters, the ftp protocol allows for data connections from
ports greater than 1023. The goal when using ftp through a filter is
to get the client to operate in 'passive' mode. This mode was defined
by rfc1579:

   The FTP protocol [1] uses a secondary TCP connection for actual
   transmission of files.  By default, this connection is set up by an
   active open from the FTP server to the FTP client.  However, this
   scheme does not work well with packet filter-based firewalls, which
   in general cannot permit incoming calls to random port numbers.

   If, on the other hand, clients use the PASV command, the data channel
   will be an outgoing call through the firewall.  Such calls are more
   easily handled, and present fewer problems.

The problem with the CERN httpd is that the proxy doesnt seem to
use passive mode and I have'nt been able to find a way to get it
to short of altering the src...

Another thing you may notice with the CERN proxy is that making
requests for URL's such as  http://www.xxx.com:8001/  will not
work without a rule in the filter for tcp port 8001. Many people
run httpd servers on Unix boxes they dont have root access to and
thus cannot have the server sitting on port 80 (<1024).

For these reasons, we usually put the CERN proxy *outside* the firewall.
This way, no matter what requests are going to the CERN proxy from your
(netscape?) client, ftp, http, wais, gopher, they always go through the
filter on the port you have configured the proxy on (usually port 80),
but the proxy can then relay the request on any port number it feels like.

Hope this helps...

--------------------------------------------------------------------
Peter Howlett                           Atlantic Systems Group
Phone (Home): (506) 455-6165            Fredericton, N.B. Canada

http://www.ASG.unb.ca/personal/ph.html       Fax:   (506) 453-5004

2. When ln -s B A, user modifying B changes perms on A

3. YQ¨ CERN httpd proxy : can't find in cache - goes to another proxy

4. Keeping permisions of an overwritten file

5. CERN 3.0 Proxy - Proxy

6. SunOs 4 - Cant compile Apache 1.2.0

7. filtering proxy with anti-virus filter?

8. sound editor LAoE v0.4.02

9. Seeking CERN PUT example

10. Filters, Filters, where are you Filters...

11. CERN proxy - Caching

12. PROXY and WWW server on one port, but NOT CERN?!

13. how do I use the cern ftp proxy with non web ftp clients?