On 12/6/20 10:26 AM, Andrea Venturoli wrote:
Is there a way to restrict the port range of the additional connections
(e.g. to 40000-50000)?
On 06.12.20 14:41, Alex Rousskov wrote:
I do not know what connections you are talking about (there are at least
four connections when it comes to a typical proxied FTP transaction).
* If you are talking about source ports used by from-Squid TCP
connections, then those are usually handled by your OS ephemeral ports
setting (e.g., sysctl net.ipv4.ip_local_port_range).
I guess he means the opposite: local port range for passive connections
* If you are talking about blocking FTP PORT/EPRT commands based on the
ports requested by FTP clients, then, in theory, one should be able to
block such requests using http_access ACLs targeting
fake/internal/wrapping HTTP requests that represent the corresponding
raw FTP command. However, I have not tested whether that works in
practice, and I suspect that Squid does _not_ supply enough details for
the http_access ACLs to work in this use case.
this should be used against https://en.wikipedia.org/wiki/FTP_bounce_attack
Please note that, AFAICT, Squid code talking to FTP servers does not
support PORT/EPRT commands, so Squid converts each received FTP
PORT/EPRT command into a PASV command (wrapped in an HTTP request for
Squid traversal). In that wrapping HTTP request, the FTP-Command header
field value will be set to PASV, not PORT or EPRT.
this makes FTP easier to handle on squid.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
