Finally I've managed to go on ftp.intel.com using FileZilla through my squid gateway in standart (proxy) mode.
Squid conf:
ftp_port x.x.x.x 2122
Then I try to block FTP-Command and nothing happen. Some from my config:
acl rh req_header -i ^FTP-Command
http_access deny rhAnd also add following:
request_header_access "FTP-Command: LIST" deny all
In squid log i see (fragment):
2016/10/04 15:23:04.177 kid1| 9,2| FtpServer.cc(495) writeReply: FTP Client REPLY:
---------
227 Entering Passive Mode (192,168,33,254,230,30).
----------
2016/10/04 15:23:04.177 kid1| 20,2| store.cc(949) checkCachable: StoreEntry::checkCachable: NO: not cachable
2016/10/04 15:23:04.177 kid1| 20,2| store.cc(949) checkCachable: StoreEntry::checkCachable: NO: not cachable
2016/10/04 15:23:04.178 kid1| 33,2| FtpServer.cc(699) parseOneRequest: >>ftp LIST
2016/10/04 15:23:04.178 kid1| 9,2| FtpServer.cc(1320) handleRequest: FTP Client local=192.168.33.254:2122 remote=192.168.33.10:60838 FD 9 flags=1
2016/10/04 15:23:04.178 kid1| 9,2| FtpServer.cc(1322) handleRequest: FTP Client REQUEST:
---------
GET / HTTP/1.1
FTP-Command: LIST
FTP-Arguments:
----------
2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET ftp://ftp.intel.com/ is ALLOWED; last ACL checked: net33
2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(720) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET ftp://ftp.intel.com/ is ALLOWED; last ACL checked: net33
2016/10/04 15:23:04.178 kid1| 17,2| FwdState.cc(133) FwdState: Forwarding client request local=192.168.33.254:2122 remote=192.168.33.10:60838 FD 9 flags=1, url="" href="ftp://ftp.intel.com/">ftp://ftp.intel.com/
2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: ftp://ftp.intel.com/' via ftp.intel.com
2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: ftp://ftp.intel.com/' via ftp.intel.com
2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(280) peerSelectDnsPaths: Found sources for 'ftp://ftp.intel.com/'
---------
227 Entering Passive Mode (192,168,33,254,230,30).
----------
2016/10/04 15:23:04.177 kid1| 20,2| store.cc(949) checkCachable: StoreEntry::checkCachable: NO: not cachable
2016/10/04 15:23:04.177 kid1| 20,2| store.cc(949) checkCachable: StoreEntry::checkCachable: NO: not cachable
2016/10/04 15:23:04.178 kid1| 33,2| FtpServer.cc(699) parseOneRequest: >>ftp LIST
2016/10/04 15:23:04.178 kid1| 9,2| FtpServer.cc(1320) handleRequest: FTP Client local=192.168.33.254:2122 remote=192.168.33.10:60838 FD 9 flags=1
2016/10/04 15:23:04.178 kid1| 9,2| FtpServer.cc(1322) handleRequest: FTP Client REQUEST:
---------
GET / HTTP/1.1
FTP-Command: LIST
FTP-Arguments:
----------
2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET ftp://ftp.intel.com/ is ALLOWED; last ACL checked: net33
2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(720) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET ftp://ftp.intel.com/ is ALLOWED; last ACL checked: net33
2016/10/04 15:23:04.178 kid1| 17,2| FwdState.cc(133) FwdState: Forwarding client request local=192.168.33.254:2122 remote=192.168.33.10:60838 FD 9 flags=1, url="" href="ftp://ftp.intel.com/">ftp://ftp.intel.com/
2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: ftp://ftp.intel.com/' via ftp.intel.com
2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: ftp://ftp.intel.com/' via ftp.intel.com
2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(280) peerSelectDnsPaths: Found sources for 'ftp://ftp.intel.com/'
But I need to block FTP-Command: LIST (for example)
2016-10-03 20:34 GMT+03:00 Alex Rousskov <rousskov@measurement-factory.com >:
Please ask these questions on squid-users...
On 10/03/2016 05:51 AM, oleg gv wrote:
> Thanks, but problems still exist - FTP doesn't work through proxy.
>
> 1. I've set in proxy
> ftp_port 192.168.0.1:2121 <http://192.168.0.1:2121>
> 2. set in client browser to use proxy for FTP on 192.168.0.1:2121
> <http://192.168.0.1:2121>
>
> Trying to go ftp://ftp.intel.com and In log of squid i see:
>
> FTP Client REPLY:
> ---------
> 530 Must login first
>
> ####
>
> Another variant: setup inerception ftp_proxy (with nat redirect) - and
> it also doesn'nt work: last commands in log:
> 2016/10/03 14:43:09.929 kid1| 9,2| FtpRelay.cc(733)
> dataChannelConnected: connected FTP server data channel:
> local=8x.xxx.xxx.xxx:41231 remote=192.198.164.82:36034
> <http://192.198.164.82:36034> FD 19 flags=1
> 2016/10/03 14:43:09.929 kid1| 9,2| FtpClient.cc(791) writeCommand: ftp<<
> LIST
>
> 2016/10/03 14:43:10.125 kid1| 9,2| FtpClient.cc(1108) parseControlReply:
> ftp>> 125 Data connection already open; Transfer starting.
>
> And ftp.intel com is hang, trying to open..
>
>
>
>
>
> 2016-10-01 2:12 GMT+03:00 Alex Rousskov
> <rousskov@measurement-factory.com
> <mailto:rousskov@measurement-factory.com >>:
>
> On 09/30/2016 10:42 AM, oleg gv wrote:
>
> > Hello, I've found that NativeFtpRelay appeared in squid 3.5 . Is it
> > possible to apply http-access acl for FTP proto concerning filtering of
> > FTP methods(commands)
>
> Yes, it should be possible.
>
>
> > by analogy of HTTP methods ?
>
> Not quite. IIRC, when the HTTP message representing the FTP transaction
> is relayed through Squid, the FTP command name is _not_ stored as an
> HTTP method. The FTP command name is stored as HTTP "FTP-Command" header
> value. See http://wiki.squid-cache.org/Features/FtpRelay
> <http://wiki.squid-cache.org/Features/FtpRelay >
>
> You should be able to block FTP commands using a req_header ACL.
>
>
> > what other possibilities in squid exist to do this ?
>
> An ICAP or eCAP service can also filter relayed FTP messages.
>
> Alex.
>
>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
