Richard Atterer wrote:
> However, squid seems to access the HD every 15 seconds, although
> sometimes it also stops for a while. Is there a way to turn off the
> accesses completely?
It is probably it's cleaning thread going thru the cache directories
looking for lost files. This can only be disabled by changing the
source.
How: remove eventAdd("storeDirClean"...) in main.c
> Also, I've set up a firewall (mainly to acquaint myself with ipchains).
> I've noticed that FTP fetches made by squid always seem to use active
> mode FTP; at least many packets arrive with arbitrary port numbers >1024
> for both sender and receiver.
It defaults to passive FTP (PASV).
PASV uses arbitrary port numbers > 1024 for both client and server and
the connection is always initiated by the client. PORT uses arbitraty
ports in the client and connections are initiated from port 20 the
server. This is how most FTP clients and servers work today, even if it
is not 100% in line with the FTP standard (the standard says that the
client should use the same port as the control connection in PASV mode,
unless both PORT and PASV is used, but I know of no clients or servers
actually doing this).
> Is there a way to make squid use passive
> mode FTP or do I really have to allow through all incoming TCP packets
> on nonstandard ports?
You can easily disable Squids use of PASV by changing a single line in
ftp.c:
From
ftpState->flags.pasv_supported = 1;
To
ftpState->flags.pasv_supported = 0;
However, most firewall people prefer it the other way around as it is
easier to control . PORT ftp requires that the firewall allows incoming
connections from port 20 to any client port >1024, which I would
consider a big security problem (for one thing, X11 listens on port
6000, and there are numerous other critical services listening on ports
>1024)
-- Henrik Nordstrom Spare time Squid hackerReceived on Fri Oct 01 1999 - 12:45:28 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:48:41 MST