by Terry Glie » Wed, 12 Jul 1995 04:00:00
Thanks in advance.
--
===================================================================
Communicating for America Network Services http://www.cfa.org/
1. CERN proxy and packet filters question
: Hi,
: I have the CERN HTTPD proxy server running behind a packet filtering
: router. The proxy handles HTTP requests fine, but it doesn't like
: FTP requests. I made sure the router allows incoming TCP packets with
: source = 80 and destination >= 1024. Similarly,the router allows incoming
: packets with source = 21 and destination >= 1024.
: Strangely enough, using the shell on the proxy host, I can ftp outside.
: But HTTPD can't seem to do the same. Running HTTPD in debug
: mode shows that it wants to receive from ports other than 21
: (generally above 1023). In fact, if I allow more TCP packets through,
: everything works.. Is this correct? I always thought FTP servers
: only listen to port 21. Any suggestions for configurating a packet
: filter to enable ftp via the CERN proxy (while remaining secure)?
I believe this is related to the same problem some ftp clients have
with packet filters, the ftp protocol allows for data connections from
ports greater than 1023. The goal when using ftp through a filter is
to get the client to operate in 'passive' mode. This mode was defined
by rfc1579:
The FTP protocol [1] uses a secondary TCP connection for actual
transmission of files. By default, this connection is set up by an
active open from the FTP server to the FTP client. However, this
scheme does not work well with packet filter-based firewalls, which
in general cannot permit incoming calls to random port numbers.
If, on the other hand, clients use the PASV command, the data channel
will be an outgoing call through the firewall. Such calls are more
easily handled, and present fewer problems.
The problem with the CERN httpd is that the proxy doesnt seem to
use passive mode and I have'nt been able to find a way to get it
to short of altering the src...
Another thing you may notice with the CERN proxy is that making
requests for URL's such as http://www.xxx.com:8001/ will not
work without a rule in the filter for tcp port 8001. Many people
run httpd servers on Unix boxes they dont have root access to and
thus cannot have the server sitting on port 80 (<1024).
For these reasons, we usually put the CERN proxy *outside* the firewall.
This way, no matter what requests are going to the CERN proxy from your
(netscape?) client, ftp, http, wais, gopher, they always go through the
filter on the port you have configured the proxy on (usually port 80),
but the proxy can then relay the request on any port number it feels like.
Hope this helps...
--------------------------------------------------------------------
Peter Howlett Atlantic Systems Group
Phone (Home): (506) 455-6165 Fredericton, N.B. Canada
http://www.ASG.unb.ca/personal/ph.html Fax: (506) 453-5004
2. When ln -s B A, user modifying B changes perms on A
3. YQ¨ CERN httpd proxy : can't find in cache - goes to another proxy
4. Keeping permisions of an overwritten file
6. SunOs 4 - Cant compile Apache 1.2.0
7. filtering proxy with anti-virus filter?
10. Filters, Filters, where are you Filters...
12. PROXY and WWW server on one port, but NOT CERN?!
13. how do I use the cern ftp proxy with non web ftp clients?