FTP proxy

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

FTP proxy

Andrea Venturoli
Hello.

I'm trying to evaulate FTP proxying with squid and I have a couple of
questions.
To be clear, I'm not talking about FTP through HTTP, but about the
ftp_port option.
I've used frox (http://frox.sourceforge.net/) in the past for this.



I see this feature was introduced in 3.5 as an experimental one; at 4.13
is it still so or is it considered stable and dependable?
(For now I'm not interested in logging, interception, etc..., I just
need to bypass a firewall easily).

Is there a way to restrict the port range of the additional connections
(e.g. to 40000-50000)?

  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Antony Stone
On Sunday 06 December 2020 at 16:26:26, Andrea Venturoli wrote:

> Hello.
>
> I'm trying to evaulate FTP proxying with squid and I have a couple of
> questions.
> To be clear, I'm not talking about FTP through HTTP, but about the
> ftp_port option.
> I've used frox (http://frox.sourceforge.net/) in the past for this.
>
> I see this feature was introduced in 3.5 as an experimental one; at 4.13
> is it still so or is it considered stable and dependable?

I can't answer your detailed questions above personally; however I'm sure
someone else here can, but the following point intrigued me...

> (For now I'm not interested in logging, interception, etc..., I just
> need to bypass a firewall easily).

Where is the firewall, compared to your Squid proxy, in the network?

I'm just wondering how you plan to use Squid's native FTP mode to bypass a
firewall, which is therefore presumably blocking FTP...?

> Is there a way to restrict the port range of the additional connections
> (e.g. to 40000-50000)?
>
>   bye & Thanks
> av.


Regards,


Antony.

--
"In fact I wanted to be John Cleese and it took me some time to realise that
the job was already taken."

 - Douglas Adams

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Andrea Venturoli
On 12/6/20 4:44 PM, Antony Stone wrote:

> Where is the firewall, compared to your Squid proxy, in the network?

Squid runs on the firewall itself.



> I'm just wondering how you plan to use Squid's native FTP mode to bypass a
> firewall, which is therefore presumably blocking FTP...?

It's not blocking FTP for itself, but it's blocking FTP to internal clients.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Antony Stone
On Sunday 06 December 2020 at 16:56:10, Andrea Venturoli wrote:

> On 12/6/20 4:44 PM, Antony Stone wrote:
> > Where is the firewall, compared to your Squid proxy, in the network?
>
> Squid runs on the firewall itself.
>
> > I'm just wondering how you plan to use Squid's native FTP mode to bypass
> > a firewall, which is therefore presumably blocking FTP...?
>
> It's not blocking FTP for itself, but it's blocking FTP to internal
> clients.

Oh, so you're in charge of both?

That would make sense, then - otherwise I was wondering how a client would get
FTP out to the Internet via Squid if they weren't allowed to through the
firewall...

Thanks,


Antony.

--
If you were ploughing a field, which would you rather use - two strong oxen or
1024 chickens?

 - Seymour Cray, pioneer of supercomputing

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Andrea Venturoli
On 12/6/20 5:01 PM, Antony Stone wrote:

> Oh, so you're in charge of both?

Yes.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Alex Rousskov
In reply to this post by Andrea Venturoli
On 12/6/20 10:26 AM, Andrea Venturoli wrote:

> I see this feature was introduced in 3.5 as an experimental one; at 4.13
> is it still so or is it considered stable and dependable?

AFAIK, FTP proxy is successfully used in some production environments,
but I bet that most Squid deployments do not use this feature. YMMV.


> Is there a way to restrict the port range of the additional connections
> (e.g. to 40000-50000)?

I do not know what connections you are talking about (there are at least
four connections when it comes to a typical proxied FTP transaction).

* If you are talking about source ports used by from-Squid TCP
connections, then those are usually handled by your OS ephemeral ports
setting (e.g., sysctl net.ipv4.ip_local_port_range).

* If you are talking about blocking FTP PORT/EPRT commands based on the
ports requested by FTP clients, then, in theory, one should be able to
block such requests using http_access ACLs targeting
fake/internal/wrapping HTTP requests that represent the corresponding
raw FTP command. However, I have not tested whether that works in
practice, and I suspect that Squid does _not_ supply enough details for
the http_access ACLs to work in this use case.

Please note that, AFAICT, Squid code talking to FTP servers does not
support PORT/EPRT commands, so Squid converts each received FTP
PORT/EPRT command into a PASV command (wrapped in an HTTP request for
Squid traversal). In that wrapping HTTP request, the FTP-Command header
field value will be set to PASV, not PORT or EPRT.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Sticher, Jascha
Hi Andrea,

> I see this feature was introduced in 3.5 as an experimental one; at 4.13
> is it still so or is it considered stable and dependable?

We are using the squid ftp_port feature for some customers. So far, we have not experienced any issues.
The only downside to using frox (from which we also have migrated) ist the missing feature setting an upstream proxy (proxy-chaining FTP).

> Is there a way to restrict the port range of the additional connections
> (e.g. to 40000-50000)?
As Alex mentioned, squid forces passive FTP, which is the better for firewalled environments anyways.
You should activate automatic FTP detection on your firewall (hint: FTP helper for iptables) - this way you don't need to add any extra rules besides the FTP data connection port.


Kind regards,

Jascha Sticher
Fujitsu
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Matus UHLAR - fantomas
In reply to this post by Alex Rousskov
>On 12/6/20 10:26 AM, Andrea Venturoli wrote:
>> Is there a way to restrict the port range of the additional connections
>> (e.g. to 40000-50000)?

On 06.12.20 14:41, Alex Rousskov wrote:
>I do not know what connections you are talking about (there are at least
>four connections when it comes to a typical proxied FTP transaction).
>
>* If you are talking about source ports used by from-Squid TCP
>connections, then those are usually handled by your OS ephemeral ports
>setting (e.g., sysctl net.ipv4.ip_local_port_range).

I guess he means the opposite: local port range for passive connections

>* If you are talking about blocking FTP PORT/EPRT commands based on the
>ports requested by FTP clients, then, in theory, one should be able to
>block such requests using http_access ACLs targeting
>fake/internal/wrapping HTTP requests that represent the corresponding
>raw FTP command. However, I have not tested whether that works in
>practice, and I suspect that Squid does _not_ supply enough details for
>the http_access ACLs to work in this use case.

this should be used against https://en.wikipedia.org/wiki/FTP_bounce_attack

>Please note that, AFAICT, Squid code talking to FTP servers does not
>support PORT/EPRT commands, so Squid converts each received FTP
>PORT/EPRT command into a PASV command (wrapped in an HTTP request for
>Squid traversal). In that wrapping HTTP request, the FTP-Command header
>field value will be set to PASV, not PORT or EPRT.

this makes FTP easier to handle on squid.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Andrea Venturoli
In reply to this post by Alex Rousskov
On 12/6/20 8:41 PM, Alex Rousskov wrote:

> AFAIK, FTP proxy is successfully used in some production environments,
> but I bet that most Squid deployments do not use this feature. YMMV.

Thanks.


>> Is there a way to restrict the port range of the additional connections
>> (e.g. to 40000-50000)?
>
> I do not know what connections you are talking about (there are at least
> four connections when it comes to a typical proxied FTP transaction).

I'm talking about the ports used by the clients to conect to Squid
(besides 21), using passive FTP (i.e. those returned by PASV command).

  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Alex Rousskov
On 12/7/20 5:03 AM, Andrea Venturoli wrote:

> I'm talking about the ports used by the clients to conect to Squid
> (besides 21), using passive FTP (i.e. those returned by PASV command).

Just to avoid misunderstanding, "those returned by PASV command" should
be interpreted as "ports returned by Squid to the client in response to
the client PASV command". The PASV command itself does not list ports.

When handling a PASV command, Squid creates a listening socket bound to
an ephemeral TCP port selected by the operating system. Ephemeral port
ranges are usually handled by your OS ephemeral ports setting (e.g.,
sysctl net.ipv4.ip_local_port_range).


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Andrea Venturoli
On 12/7/20 4:08 PM, Alex Rousskov wrote:
> On 12/7/20 5:03 AM, Andrea Venturoli wrote:
>
>> I'm talking about the ports used by the clients to conect to Squid
>> (besides 21), using passive FTP (i.e. those returned by PASV command).
>
> Just to avoid misunderstanding, "those returned by PASV command" should
> be interpreted as "ports returned by Squid to the client in response to
> the client PASV command". The PASV command itself does not list ports.

Yes, that's what I meant.
Thanks for clarifying.



> When handling a PASV command, Squid creates a listening socket bound to
> an ephemeral TCP port selected by the operating system. Ephemeral port
> ranges are usually handled by your OS ephemeral ports setting (e.g.,
> sysctl net.ipv4.ip_local_port_range).

For the record, since I'm not using Linux, but FreeBSD, I guess that
would be net.inet.ip.portrange.first/net.inet.ip.portrange.last (or,
possibly, net.inet.ip.portrange.hifirst/net.inet.ip.portrange.hilast,
I'd have to check the source).

However those are system wide settings; I guess there is no equivalent
of frox.conf's "PassivePorts" settings, then.

Thanks.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP proxy

Alex Rousskov
On 12/8/20 2:50 AM, Andrea Venturoli wrote:
> On 12/7/20 4:08 PM, Alex Rousskov wrote:
>> When handling a PASV command, Squid creates a listening socket bound to
>> an ephemeral TCP port selected by the operating system. Ephemeral port
>> ranges are usually handled by your OS ephemeral ports setting (e.g.,
>> sysctl net.ipv4.ip_local_port_range).

> For the record, since I'm not using Linux, but FreeBSD, I guess that
> would be net.inet.ip.portrange.first/net.inet.ip.portrange.last (or,
> possibly, net.inet.ip.portrange.hifirst/net.inet.ip.portrange.hilast,
> I'd have to check the source).

> However those are system wide settings; I guess there is no equivalent
> of frox.conf's "PassivePorts" settings, then.

Correct. Squid just bind(2)s the listening socket to port zero.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users