com (Mark Frost) writes:
# Pardon my ignorance but how exactly does on to proxy ftp? If I understand
# what it is correctly it allows one to do ftp "through" a host. (Please
# correct me if I'm wrong). Somehow I haven't got the sense of what's
# involved to set this up from the ftp man page.
You understand correctly. The reason you can't find anything on it in
the standard FTP man page is that it's not a standard feature of FTP.
To do proxy FTP, you run a custom FTP client on your internal
machines. This custom client has been modified so that, no matter
where you tell it you want to connect to, it connects to your proxy
machine, and tells the proxy machine where you want to connect to.
The proxy machine then connects to the ultimate destination, and plays
pass-through on the data. Sort of like making a long-distance phone
call in the days before direct long-distance dialing.
Proxy TELNET works much the same way: you run a custom client, it
connects to your proxy server and tells it who you really want to talk
to, the proxy server connects to the ultimate destination and plays
I'm not a big fan of proxy TELNET and FTP systems for several reasons.
The first is what you've already hit upon: they're not a standard part
of the operating system. This means you've got to install custom
client programs (replacements for "ftp" and "telnet" that know how to
talk to the proxy server) on all your internal machines that want to
use the net. If proxy version of your client programs aren't
available (which is usually the case for Mac and PC client programs),
you're just out of luck.
The second reason I'm not a big fan of proxy systems is that they add
complexity and give you more exposure to single-point-failures (the
proxy server going down), unless they're smart to know about multiple
servers (I doubt most of them are, but I don't know).
Finally, I've yet to have anybody ask for anything both reasonable and
significant that can be done with a proxy telnet/ftp setup that can't
be done with a carefully and properly constructed packet filtering
setup. I'm sure that there _are_ examples, but in the several
firewall systems I've built for clients in the last couple of years
and the several more I'm currently building, the advantages of packet
filtering have far outweighed the advantages of proxy services.
There are several proxy services that work, and work to such a degree
that folks don't even think of them as proxy services; I'm talking
about things like SMTP, NNTP, NTP, and DNS. People _expect_ servers
running these protocols to proxy for other servers and clients (though
most of them don't do it synchronously). I'm not opposed to proxy
systems per se, just proxy systems for protocols that weren't designed
for such use, and for which appropriate clients aren't widely available.
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041