Hi
when i enable the file transfer proxy in the webbackend of openfire, is the proxy open for all people in the world or only for connected ones?
I’m not interested that users of other jabber-servers use my file transfer proxy.
Thanks.
Yes, it is open for everyone. Even a plugin like PacketFilter will not help here.
Why is it not restritable?
A feature to setup a max. quota per month oder something else would help too.
It’s a security hole that everybody can share data over it and I take the cost of the traffic
It’s a security hole that everybody can share data over it and I take the cost of the traffic
Yes it is.
Why is it not restritable?
Because it is just a proxy. It just works with IP addresses, and doesn’t know anything about Jabber/XMPP. If all your users are inside a specific subnet, you could firewall it, but in open Internet everyone could use it.
Coolcat
Anyone can connect to the proxy currently, but not anyone can send files through it. To send a file the “file transfer session” id which was transmitted via Openfire must be sent to the proxy. By default, Openfire keeps track of the sessions to make certain that any file transfers going through the proxy have been started by at least one user connected to Openfire.
Cheers,
Alex
Hmm this sounds good.
But i think it will be a good feature to put a trafficlimit per day/week/month to the feature.
Yes, that would be great.
By default, Openfire keeps track of the sessions to make certain that any file transfers going through the proxy have been started by at least one user connected to Openfire.
Sorry, this is not correct, I have tried it.
Test-Setup
Two Openfire 3.3.2 servers, two users (Psi 0.11 RC2), one proxy:
user1 can send files to user2 through the proxy. But an PacketInterceptor which blocks traffic between remote users and the proxy seems to prevent the user from sharing files. Maybe it is possible to to this using the PacketFilter plugin too, I used my own one here.
Sourcecode
sourcecode of PacketInterceptor implementation:
public void interceptPacket(Packet packet, Session session, boolean incoming, boolean processed)
throws PacketRejectedException {
// don't process anything twice
if (processed) { return; } /* ... */ JID toJID = packet.getTo();
JID fromJID = packet.getFrom();
if (toJID == null || fromJID == null) { return; }
boolean fromIsRemote;
if ( xmppServer.isRemote(fromJID)
&& monitoredComponents.contains(toJID.getDomain())
&& !whitelistedJIDs.contains(fromJID.getDomain())
&& !whitelistedJIDs.contains(fromJID.toBareJID())) {
fromIsRemote = true;
}
else if ( xmppServer.isRemote(toJID)
&& monitoredComponents.contains(fromJID.getDomain())
&& !whitelistedJIDs.contains(toJID.getDomain())
&& !whitelistedJIDs.contains(toJID.toBareJID())) {
fromIsRemote = false;
}
else {
// accept packet
return;
} // accept service discovery packets
if (packet instanceof IQ) {
IQ iqPacket = (IQ)packet;
Element childElement = iqPacket.getChildElement();
if (childElement != null) {
String namespace = childElement.getNamespaceURI();
if ( FEATURE_DISCO_INFO.equals(namespace)
|| FEATURE_DISCO_ITEMS.equals(namespace) ) {
// accept packet
return;
}
}
} // send message to user why this doesn't work...
checkBlock(fromJID, toJID, fromIsRemote); // reject packet
throw new PacketRejectedException();
}
PacketInterceptor doesn’t work…FileTransfer is only slow, it takes 30 seconds or so to build up the connection. Is there any way to block this, but not to block it if one of the users is local?
That’s interesting. I am having trouble looking at the source finding out how this situation can occur. Do you have the ability to step through the code?
Thanks,
Alex
Do you have the ability to step through the code?
no, sorry.
But it should be easy to reproduce. I can make an XML-log from clients and server if you need it.
I discovered the “bug”…it worked because the transfer was possible through a P2P connection over localhost. If both clients are not in the same local network the proxy is blocking properly
Message was edited by: Coolcat
Good to hear! Yea, that makes sense sorry I didn’t spot that.
Cheers,
Alex