On 01/23/2017 03:11 AM, Alexander wrote: > 3. Squid opens a local port and sends it back to client via the "Entering > passive mode" reply. Seems to be ok, but a client sees a real server's IP > address, not a squid's one. So when a client tries to connect to a server, > it gets ECONNREFUSED because no-one is listening on a requested port. This Squid behavior is intentional: > // In interception setups, we combine remote server address with a > // local port number and hope that traffic will be redirected to us. ... > mb.appendf("227 Entering Passive Mode (%s,%i,%i).\r\n", > So when a client tries to connect to a server, ... your networking rules should redirect that connection to Squid in order to avoid the problem you are describing: > it gets ECONNREFUSED because no-one is listening on a requested port. Please note that I am _not_ claiming that the intentional Squid behavior is correct in all cases. I only know that we made Squid do what it does now to fix a (most likely real) problem: > revno: 12742.1.11 > branch nick: ftp-gw > timestamp: Wed 2013-08-21 09:39:09 -0600 > message: > Fixed address handling for PASV responses in interception cases. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users