Re: confusing warnings from Christian on 2012-11-08 (squid-dev)

From: Christian <chris_at_computersalat.de>
Date: Thu, 08 Nov 2012 14:49:03 +0100

Hi Amos,

thank you for your help. And when I understand right I can remove those
two acl's, because they are already built_in.

Thank you very much.
Chris

Am 07.11.2012 23:11, schrieb Amos Jeffries:
>> On 11/7/2012 5:40 PM, Christian wrote:
>>> what's wrong with this:
>>> #acl manager proto cache_object
>>> #acl localhost src 127.0.0.1/32 ::1
>>> acl localhost src 127.0.0.1/32
>>> #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>
> Whats wrong is that:
>
> * you have removed the IPv6 localhost definitions. Erasing any
> security permissions these ACLs would have provided to IPv6 traffic
> (for both allow AND deny usage cases). It is best practice to ensure
> that you have consistent security behaviour for both IPv4 and IPv6
> traffic.
>
> * the ACLs "manager", "localhost" and "to_localhost" are now built-in
> definitions. see http://www.squid-cache.org/Doc/config/acl/
>
> We have had to do this for several reasons:
> 1) it presents a shorter less confusing default config, and less ways
> to get ACL and *_access lines in the wrong order.
>
> 2) it helps us roll out 0.0.0.0/32 and similar protection to existing
> installations who ignore the config file changes unless they bite.
>
> 3) people deciding that since they don't need IPv6 they can remove
> ::1 etc from the localhost definitions (exactly like you did above!).
> Which *prevent* Squid from providing any IPv6 traffic security on
> those connection types (eg "http_access deny localhost" can allow IPv6
> localhost through).
>
>
> On 08.11.2012 04:57, Eliezer Croitoru wrote:
>> you do understand that there is not such thing as "0.0.0.0/32" ??
>
> There is. It means the explicit single RESERVED address "0.0.0.0".
> Sending traffic there is forbidden, but some TCP stacks permit it to
> be used like 127.0.0.1 and that can result in forwarding loop DoS
> vulnerabilities.
>
> As to the warnings ...
>
> Amos
>

-- 
Christian
----------------------------------------------------
   - Please do not 'CC' me on list mails.
          Just reply to the list :)
----------------------------------------------------
Der ultimative shop für Sportbekleidung und Zubehör
http://www.sc24.de
----------------------------------------------------

Received on Thu Nov 08 2012 - 13:49:17 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 08 2012 - 12:00:05 MST