 |
|
The filter-engine Element
Note: The filter-engine element is read from the global
configuration file, if such a file is available.
On Unix, the global configuration is stored as
/etc/ssh2/ssh-socks-proxy-config.xml. Only when no global configuration file exists, this
element is read in the user-specific configuration file.
The filter-engine element defines the Transparent Tunneling
filter rules. Also the static-tunnels element with a
socks-proxy tunnel needs to be defined for the Transparent
Tunneling to work.
The top level element is filter-engine. It has one
attribute: ip-generate-start. This attribute defines the
start address of the pseudo IP address space. Pseudo IPs are generated
by the SOCKS Proxy when applications do the DNS query through the SOCKS Proxy.
Under the filter-engine element there can be any
amount of elements of the type network, dns, or
filter. The order of the elements is important, because the
filter engine uses the elements in the order they were specified in the
configuration file.
- network
The network element specifies a "location"
where SSH Tectia Client is running. It has four attributes: id,
address, domain, and ip-generate-start.
The id attribute specifies a unique identifier for the
network element. The address attribute specifies the
address of the network. It can be missing or empty, in which case it is
not used. The domain attribute contains the domain name of
the computer. It can also be missing or empty, in which case it is not
used. The ip-generate-start attribute defines the start
address of the pseudo IP space. If it is defined here, it overrides the
ip-generate-start attribute of the filter-engine
element.
- dns
The dns element creates a DNS rule for the
filter engine. It has six attributes: id,
network-id, application,
host, ip-address, and
pseudo-ip.
The id attribute specifies a unique identifier
for the dns element. The network-id attribute
contains a reference to a network element. This can be
left empty if the dns entry does not bind to a specific
network. The application attribute specifies the
application for which this DNS entry is used. This can be a regular
expression.
The host attribute specifies a target host name. It
can be a regular expression. The ip-address attribute
specifies the target host IP address. It can be a regular expression.
When both the hostname and the IP address are defined, the
host attribute takes precedence and the ip-address
attribute is ignored. When the ip-address is
left empty and the host matches one of the following things
happen:
-
When the pseudo-ip attribute is set to
yes, the SOCKS Proxy assigns a pseudo IP address for the target
host and SSH Tectia Server resolves the real IP address.
Pseudo IP addresses should be used when accessing an internal
network from the outside, because name resolution for the machines in
the internal network is not available from the outside.
-
When the pseudo-ip attribute is set to to
no, a normal DNS query is made for the target hostname.
- filter
The filter element specifies an action for a
connection. It has five attributes: dns-id,
ports, action, profile-id, and
fallback-to-plain.
The dns-id attribute is a reference to a
dns element.
The ports attribute can be a single port or a range.
A range is specified with a dash between two integers (such as
"21-25").
Note: Always specify the port unambiguously if fallback mode is set.
Do not use an asterisk (*), because it causes problems in
passive mode file transfer when connected to a plaintext FTP server.
The action attribute specifies the action to be done when a
filter is used. Its value can be DIRECT, BLOCK,
TUNNEL, or FTP-TUNNEL.
-
DIRECT causes the connection
to be made directly as plaintext without tunneling.
-
BLOCK causes the connection to be
blocked.
-
TUNNEL is used for TCP tunneling when the Secure
Shell connection is opened only with some non-interactive method like
public keys or certificates. There is no user interaction which means
that passphrases in private keys cannot be used or the SOCKS Proxy has
already asked the passphrases or suitable connection has already been
established. User ID and other parameters can be defined in a SOCKS Proxy
profile.
-
FTP-TUNNEL is used for FTP tunneling. If the
referenced connection profile does not have the user
attribute specified, the SOCKS proxy asks the FTP client to provide
the username and password, which can be used in opening the Secure
Shell connection. Public keys can also be used with this method, but
there is no interaction to give private key passphrases. Neither is it
possible to get user interaction to save a host key.
When applying the filter rule, if creating the tunnel fails
(or the connection to the Secure Shell server fails) the SOCKS Proxy will
normally return a "host not reachable" error. However, if the
fallback-to-plain attribute is set to yes,
a direct (unsecured) connection is used instead.
The fallback-to-plain and pseudo-ip options should
not be enabled at the same time. If they are, and the secure connection
fails, the application will try a direct connection with the pseudo IP,
which will not work.
An example of a filter rules for transparent FTP tunneling is shown
below.
<filter-engine>
<dns id="id1_dns"
ip-address=".*"
pseudo-ip="NO" />
<filter dns-id="id1_dns"
ports="21"
action="ftp-tunnel"
profile-id="id1"
fallback-to-plain="YES" />
</filter-engine>
|
[Contents]
[Index]
[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]
Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice
|
|
|
