07-07-2009, 05:13 PM
|
 |
Wizard
|
|
Join Date: Jul 2006
Location: United States
Posts: 562
|
|
[7.460]BUG: HTTP Proxy doesn't catch allowed services
I have ftp in my http proxy allowed target services. The proxy is running in transparent mode. If I visit an ftp site by changing my browser to port 8080, I get the directory listing produced by astaro. If I don't use port 8080 and try to let transparent proxy catch the service, it goes directly via packet filter.
Screenshots
1. Allowed services in http proxy
2. ftp.astaro.com via port 8080
3. ftp.astaro.com via transparent proxy?
|
07-07-2009, 05:14 PM
|
|
|
|
Join Date: Jun 2009
Posts: 0
|
|
Code:
Astaro Beta Report
--------------------------------
Version: 7.460
Type: BUG
State: NOTABUG
Reporter: Billybob
Contributor:
MantisID:
--------------------------------
Last edited by Gert Hansen; 07-08-2009 at 10:56 PM.
|
07-07-2009, 08:17 PM
|
 |
Senior Member
|
|
Join Date: Nov 2005
Location: Canada
Posts: 153
|
|
Hi BillyBob,
I don't think this is a bug.
The Allowed Target Services list in the HTTP advanced will only apply to ports allowed through when the proxy is set in your Browser.
Transparent mode proxy only picks up port 80 (or 443 as well in Scan SSL mode). As such even though FTP is in your list it should only be expected to pickup when using the ASG as your designated proxy.
__________________
ASG 120 - 7.403
Beta 7.460
|
07-08-2009, 12:42 AM
|
|
Wizard
|
|
Join Date: Jul 2006
Location: United States
Posts: 562
|
|
I understand what you are saying and I think this is the default behavior even with earlier versions. But lets say you are going to download.com and download a file. It will say redirecting to a download site, and then you will get a download message. In your mind you are browsing via http proxy with full virus protection. However when the redirection took place, the download was switched over to ftp and hence not protected by url filtering or anything.
That might be by design but why not just add a packet filter rule if it works as expected with regular proxy enabled. Wouldn't you agree? Atleast there should be some mention somewhere of this behavior.
Last edited by Billybob; 07-08-2009 at 12:47 AM.
|
07-08-2009, 01:10 AM
|
 |
Moderator
|
|
Join Date: Mar 2007
Location: Oklahoma City
Posts: 4,954
|
|
Thanks, Billybob, I just realized there's a raft of things I don't uinderstand...
Are we sure that it's normal behavior for the AV to apply only to HTTP/S traffic?
If the FTP Proxy is enabled, should one remove FTP from the HTTP allowed services?
In Transparent Mode, how does the Proxy know that it's my browser making an FTP request instead of Filezilla? If I don't have a PF rule allowing FTP, and I haven't enabled the FTP Proxy, shouldn't such requests be blocked for Filezilla?
Cath, are there other "pernicious" things about what goes in the HTTP Proxy allowed services list?
Thanks - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
|
07-08-2009, 03:48 AM
|
|
Wizard
|
|
Join Date: Jul 2006
Location: United States
Posts: 562
|
|
Bob, Cath is right. If you read the manual, it says that in transparent mode, it will catch only port 80 traffic or https if that is enabled. I guess the problem is that I am so used to using proxy in standard mode, in which it will catch certain protocols without any further packet filter rules as long they are in the allowed target services.
In standard mode, all ftp traffic is handled just like http traffic with all the fancy download graphs and blocked messages that you expect to see. If you enable the seperate FTP proxy (frox), it runs a seperate proxy which doesn't include any of these features. I wonder why didn't they implement transparent mode for in house proxy. Maybe to be more verbose for the command line ftp clients?
I guess the real bug is that the allowed target services only works for standard proxy modes, although it is available in any mode.
Last edited by Billybob; 07-08-2009 at 05:21 AM.
|
07-08-2009, 11:27 AM
|
|
Wizard
|
|
Join Date: Dec 2006
Posts: 653
|
|
Hi Bob
this is a design problem of an transparent proxy. All other firewall competitors can only handle port 80 for a transparent http proxy and port 443 for a transparent https proxy. If you want to use the proxy security for other ports you have to use another mode. There is no way to implement it.
Greetings
Andreas
|
07-08-2009, 03:28 PM
|
|
Moderator
|
|
Join Date: Mar 2007
Location: Oklahoma City
Posts: 4,954
|
|
OK, may I restate this to be certain that I've understood correctly? In the 'Transparent mode', the HTTP/S Proxy only captures traffic on ports 80 and 443, and that traffic is the only traffic scanned by the A-V engines. Instead of creating packet filter rules for other web traffic, you can put those services into 'Allowed services' on the 'Advanced' tab, and the Astaro will create the necessary rules for you. The traffic for these other services is NOT scanned by the A-V engines, nor is it otherwise handled by the Proxy.
In the non-transparent modes, the HTTP/S proxy handles all of the services in 'Allowed Services' and the traffic is scanned by the A-V engines. I'm still left with the following questions: - If the FTP Proxy is enabled, should one remove FTP from the HTTP allowed services regardless of the mode one is in?
- How does the Proxy know that it's my browser making an FTP request instead of Filezilla? Is it possible to make a port-20 request via port 8080? I must be ignorant of some fundamental principle.
Thanks - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
|
07-08-2009, 04:12 PM
|
|
Wizard
|
|
Join Date: Jul 2006
Location: United States
Posts: 562
|
|
Quote:
Originally Posted by BAlfson
In the 'Transparent mode', the HTTP/S Proxy only captures traffic on ports 80 and 443, and that traffic is the only traffic scanned by the A-V engines. Instead of creating packet filter rules for other web traffic, you can put those services into 'Allowed services' on the 'Advanced' tab, and the Astaro will create the necessary rules for you. The traffic for these other services is NOT scanned by the A-V engines, nor is it otherwise handled by the Proxy.
|
You are correct. In transparent mode it only catches 80/443 and although the rules are created with allowed services, they can only be used if you point your browser to 8080.
Quote:
Originally Posted by BAlfson
If the FTP Proxy is enabled, should one remove FTP from the HTTP allowed services regardless of the mode one is in?
|
It doesn't matter if you remove it or not. FTP Proxy(frox) catches all ftp requests transparently on port 21 so the allowed services tab doesn't have any effect on transparent ftp proxy. If however you are pointing to 8080, the allowed services tab is handling all your traffic and ignores transparent ftp (frox).
Quote:
Originally Posted by BAlfson
Is it possible to make a port-20 request via port 8080? I must be ignorant of some fundamental principle.
|
Yes it is possible. As you can see in the second screenshot of my original post. If you put 8080 in your browser and ftp is in your allowed services, http proxy will handle port 21 requests for av and will even block requests if the url is blocked in content filter.
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 12:58 PM.
| |  |
