RE: [squid-users] FTP Whitelist hostnames vs ip

Thanks for the feedback. I was discussing this with some colleagues, and this aspect of FTP did come up. The problem with using frox, is it doesn't look like it supports external whitelist files, and I need to be able to assign some low level techs to add to the whitelist as needed.
Also, on the high ports comment, it's the only way I could get it to work at all, but I guess that's what I get for trying to shoehorn in something squid isn't designed for. :-)

Scott Mace
Infrastructure and Security Analyst
RenewData
512.276.5500 x 3244 Phone
512.276.5555 Fax
512.299.4439 Cell
scott.mace_at_renewdata.com
http://www.renewdata.com

Global in reach. Local in focus.

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Thursday, July 28, 2011 8:38 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] FTP Whitelist hostnames vs ip

On 29/07/11 09:05, Scott Mace wrote:
> I have a whitelist to allow users to access only sites required. We primarily use it for ftp, either through a web browser or filezilla-like clients. The browser based is flawless, but odd behavior with ftp clients.
> acl whitelist dstdomain "/etc/squid3/whitelist"
> http_access deny !whitelist
> Whitelist contains (for testing):
> gatekeeper.dec.com
>
> Here is the result:
> 1311886691.258 21738 192.168.100.194 TCP_MISS/200 998 CONNECT gatekeeper.dec.com:21 - DIRECT/192.6.29.21 -
> 1311886757.392 0 192.168.100.194 TCP_DENIED/403 1899 CONNECT 192.6.29.21:51967 - NONE/- text/html
>
> As you can see, it changes from using hostname to IP address, which matches nothing in the whitelist, and is denied. If I add the IP to the whitelist, it works perfectly. How can I force it to always use the hostname?

You can't. It uses what the client is trying to use. So that malicious
clients can get denied.

As for the "change". This is how FTP works. With multiple channels
setup. Reason #1 why it cannot be relayed by Squid. Use a proxy designed
to relay FTP, such as frox, instead.

Squid only supports fetching FTP data and reformatting into HTTP
responses for clients. read-only via a web browser etc.

> IP added to whitelist:
> 1311887068.133 17458 192.168.100.194 TCP_MISS/200 1919 CONNECT gatekeeper.dec.com:21 - DIRECT/192.6.29.21 -
> 1311887072.841 124 192.168.100.194 TCP_MISS/200 0 CONNECT 192.6.29.21:51255 - DIRECT/192.6.29.21 -
>

The access permissions order is important:
   http://wiki.squid-cache.org/SquidFaq/OrderIsImportant

You have also broken the basic security protections:
 
http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls#The_Safe_Ports_and_SSL_Ports_ACL

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.10
Confidentiality Notice: This electronic communication contained in this e-mail from Scott.Mace_at_renewdata.com (including any attachments) may contain privileged and/or confidential information. This communication is intended only for the use of indicated e-mail addressees. Please be advised that any disclosure, dissemination, distribution, copying, or other use of this communication or any attached document other than for the purpose intended by the sender is strictly prohibited. If you have received this communication in error, please notify the sender immediately by reply e-mail and promptly destroy all electronic and printed copies of this communication and any attached document. Thank you in advance for your cooperation.