> The proxy completely controls what the client gets given. It is > breaking transparency by not reverse-mapping the response properly. > Mention it to the authors and get it fixed. The authors (Websense) are of a different opinion of how this issue is fixed. They recommended that we enable active FTP (significant security risk). > A transparent proxy is equivalent to a NAT module in all respects. > Merely operates on the FTP layer in this case. > Switch "module" for "proxy" and you have a good plan for fixing the > bug. Not really, even proxying these requests would result in the same issue as the child proxy would relay the parent proxy's response. > NOTE: If you do steps 5 and 6 in the IP layer you will be bypassing the > proxy data handling and void all your reasons for having it done by a > proxy in the first place. Instead of by the conntrack NAT module for FTP > for both outgoing and returning traffic. The point is not to get rid of the proxy but to fix the issue that the proxy is presenting to all FTP communications. > Disclaimer: I'm not one of the NF gurus. Just a proxy guy. Thanks anyways. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
