diamond+ubuntu-devel at nonado.net
Sun Oct 30 17:37:06 CST 2005
Trent Lloyd wrote:
> On Tue, Oct 25, 2005 at 12:01:49PM +0100, Stephen Shirley wrote:
>>Aye, i considered that approach, but it has problems. Applications that
>>use ftp can't be transparently proxied.
> A quick apt-cache search turns up 'frox' which has transparent proxy
> support, I haven't tried it, but it may be worth a look.
Interesting app. Had a bit of a job trying to figure out exactly what it
did, the docs are very vague. The big issue with this is that it will
only work in the following cases:
1) Direct net connection
2) Http proxy to internet that allows ftp proxying.
I.e. it'll fail if neither of the above is satisfied.
>>Also, that approach fails in the
>>case where there are no proxies around, and direct net connection is
> It hardly fails in that case, in that case you drop it out of iptables,
> same as you'd deconfigure a proxy.
Sorry, my bad. I was thinking in the general sense. I.e. if you
configure an app to use a socks proxy, when there is no socks proxy
available, even if there is a direct net connection, the setup fails.
Same goes for ftp or http proxy. Therefore either make sure there's
always a proxy avaialable (even if it's just faking it, some or all of
the time) and all clients are configured to use it, or set all clients
to use no proxy and do transparent proxying. The latter involves some
tricky application level jiggery pokery (eg. how do you make a normal
ssh connection go through a socks proxy? how do you make an ftp client
go through a http proxy (and therefore have to rephrase the request)
etc). The former is what i'm proposing. The proxy can then be the part
to re-configure on the fly, as that's what it's written to do. Ah. There
is a third option, of course: re-write all applications to use some
clever proxying library that does all of this. In the long run, it would
be an excellent solution. In the short-to-medium term however i don't
think it's feasible.
More information about the ubuntu-devel