Henrik Nordstrom wrote:
>
> Marc van Selm wrote:
>
> > Squid - per default - has a limited set of ports it allows for https. 443 and
> > 563. All other ports are denied.
>
> I would say per specification. The CONNECT method specification strongly
> recommends limiting which ports the method may connect to due to the
> obvious security implications of having a method for establishing a
> unfiltered TCP tunnel.
I agree. Having seen what people will try to do with an unrestricted IP
tunnel (I'm as guilty as anyone...I ran SSH connections through a
squid-hierarchy via a fast backbone to a server in the USA. I only had
to write a couple of lines of shell-scripts at each end to make this
work. Had I done something improper with the connection (more improper
than shouldering interactive traffic on what was supposed to be a fast
back-to-back HTTP backbone) I seriously doubt that it could have been
effectively tracked, and at some point, someone will surely point the
finger at a cache-administrator for permitting the misuse)
A legacy of my misspent youth.
D
Received on Sun Apr 18 1999 - 19:59:03 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:45:52 MST