On Tue, 2002-11-12 at 09:29, Joey Coco wrote:
> Hello,
>
> Not everyone wishes to rely on squid's ACL's for access control.
Sure.
> My
> proxy's are configured "wide open", but I do all my restrictions with
> firewalling. I'd rather drop or deny packets, use squid block it.
We aren't talking about ip based restrictions, but rather about
dangerous policy. Unless your routers are doing layer 7 inspection, you
won't be checking what I'm proposing we check. Secondly, Even if you are
doing layer 7 inspection, you won't know that two connections (one into
squid and one out of) are related, and thus may allow things that you
really don't want to (like spam bulk mailers bouncing via internet->your
squid server->your local smtp gateway.)
Rob
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:18:41 MST