On 10/25/22 12:57 PM, Matus UHLAR - fantomas wrote:
That is why I prefer using "intercepting proxy" for case where connections between clients and servers intercepted by proxy, without it being configured in browsers.
Fair enough.
precisely, so what exactly aren't you convinced about? :-)
The term "transparent" having multiple meanings. I believe we were talking past each other and now are not.
Have you noticed this with SOCKS server?
Yes, DANTE SOCKS server is exactly where I first read about the limitation that I'm talking about. Subsequent reading of other SOCKS servers supported this limitation.
N.B. I'm specifically talking about how a SOCKS aware (FTP) client can ask that an external port be connected to the SOCKS client for a defined period of time (ten minutes in the examples I saw). This is sufficient for most active FTP connections (presuming that the ftp client is also the socks client) as the data connection from the FTP server comes back to the SOCKS server ~> FTP client in short order.
I guess this applies for firewalls that will disable connections to the port later. But the same applies for PASV connections and the reply when firewall at serer side is used.
Agreed.Aside: I don't think I've ever seen SOCKS be used to front public services. Rather I've only ever seen SOCKS used for (private) clients.
When ssl/tls is used between client and server, intermediate gateways and firewalls don't know what ports do endpoints agree on using PORT/PASV.Unless they intercept SSL conneciton (which kind of makes them FTP endpoints) or the client supports and issues FTP command "CCC" which is designed for this case. I'm afraid not many FTP clients do that.
Agreed.I think this middle box behavior is far more common on HTTPS in larger data centers where the middle box is used to enforce compliance and the likes.
agree.the workaround is to use static list of ports at server side and configure server firewall to statically allow connection to these ports (optionally NAT them).
Yep.
however this is already not a SQUID issue.
Agreed. -- Grant. . . . unix || die
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
