Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 11 replies
  • Subscribers 0 subscribers
  • Views 1714 views
  • Users 0 members are here
Options
Suggested

[7.250] no ftp thru transparent ftp proxy? [NOTABUG]

gkemter
After install 7.250 and import config from 7.201,
i cant connect to any ftp server (tryied ftp.astaro.com)
If i disable the ftp proxy or put my host into skiplist, ftp works.
Tried with IE,cmd ftp and total commander

Gregor Kemter
Parents Reply Children
  • 0 in reply to tom_01
    Transparent ftp-proxy produce tons of drop packets (21)

    Gregor Kemter
  • 0 in reply to gkemter
    Please post a few complete example lines of those drops. Thx!
  • 0 in reply to tom_01 

    2008:07:07-11:54:17 (none) ulogd[2631]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:30:1b:b2:40:20" srcip="192.168.254.150" dstip="128.242.114.245" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="1943" dstport="21" tcpflags="SYN"

    2008:07:07-11:54:20 (none) ulogd[2631]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:30:1b:b2:40:20" srcip="192.168.254.150" dstip="128.242.114.245" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="1943" dstport="21" tcpflags="SYN"

    2008:07:07-11:54:26 (none) ulogd[2631]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:30:1b:b2:40:20" srcip="192.168.254.150" dstip="128.242.114.245" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="1943" dstport="21" tcpflags="SYN"

    2008:07:07-11:54:38 (none) ulogd[2631]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:30:1b:b2:40:20" srcip="192.168.254.150" dstip="128.242.114.245" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="1944" dstport="21" tcpflags="SYN"

    2008:07:07-11:54:41 (none) ulogd[2631]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:30:1b:b2:40:20" srcip="192.168.254.150" dstip="128.242.114.245" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="1944" dstport="21" tcpflags="SYN"

    2008:07:07-11:54:47 (none) ulogd[2631]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:30:1b:b2:40:20" srcip="192.168.254.150" dstip="128.242.114.245" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="1944" dstport="21" tcpflags="SYN"

    2008:07:07-11:54:49 (none) ulogd[2631]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped
  • 0 in reply to gkemter
    Hm, this is the default FORWARD drop.

    What "Operation Mode" (new feature) is specified on the main page of the FTP proxy?
  • 0 in reply to gkemter
    @Tom

    maybe you describe how the new operation-mode have to work ?
    (transparent,non-transparent,both)

    regards

    Gregor Kemter
  • 0 in reply to gkemter
    In 7.201 and below the ftp proxy was always operating in transparent mode. In Non-Transparent mode, you can specify the ASG (port 2121) as an proxy in your ftp client. Both mode allowes transparent connections to port 21 everywhere and non-transparent connections to port 2121 on the ASG.

    If you have still trouble, you can send me your login data to cgarst at astaro dot com and i will look at your box what's going wrong.

    Regards
    Christoph Garst
    Astaro AG
  • 0 in reply to frickler
    Finaly found the bug in 7.250

    Ftp Proxy Skiplist (under Web Security->FTp->Advanced) works wrong.

    How to reproduce:
    FTP Proxy set to transparent mode
    Under advanced put the-one-host in skiplist
    Checkbox : allow blabla seems have no function, on/off change nothing
    try to ftp from the-one-host -> no go

    Remove the-one-host from skip-list -> ftp work

    Gregor Kemter
  • 0 in reply to gkemter
    Hosts or networks listed in the skiplist are skipping the proxy. This means they are subject to normal packet filtering. Since there is no rule to allow FTP by default, it is natural that FTP does not work on hosts which are in the skiplist.

    The "Allow FTP traffic for listed hosts/nets" adds a packet filter rule for the listed hosts which allows FTP without the proxy.

    I just tested all scenarios and they work OK.
  • 0 in reply to tom_01
    you are right.

    Maybe you change "Allow FTP traffic for listed hosts/nets" to something like Auto Packet Filter for listed hosts/nets

    Gregor Kemter