RE: IPChains firewall: need port 80 open with transparent Squid? from Plak, Peter on 2000-02-27 (squid-users)

From: Plak, Peter <peter.plak@dont-contact.us>
Date: Sun, 27 Feb 2000 13:44:57 +0100

If you use squid normal or transparent (doesn't matter for now), your
outgoing traffic to the internet has following ports:
- sourceport 1024:65535 and destinationport 80

So traffic from webservers on the internet comes in to your firewall:
- sourceport 80 and destinationport 1024:65535

If you use squid normal or transparent (doesn't matter for now), your
incoming traffic from your clients to squid has following ports:
- sourceport 1024:65535 and destinationport 80

So traffic from squid to your clients has (gets a reverse redirect from 3128
to 80):
- sourceport 80 and destinationport 1024:65535

Thus you still need to allow traffic to/from port 80 to allow webbrowser to
work.

Bye Peter from Holland

-----Original Message-----
From: Steve Snyder [mailto:swsnyder@home.com]
Sent: zondag 27 februari 2000 01:03
To: Squid Mailing List
Subject: IPChains firewall: need port 80 open with transparent Squid?

Before I started using Squid (v2.2S5, on Linux v2.2.x) as a
transparent proxy, I enabled trafffic to/from port 80 to allow Web
browsers to work. Do I still need to have that port open now that all
HTTP traffic is being redirected through Squid?

Per the Squid doc, this is how my transparent config looks:

    http_port 3128
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

Also per the Squid doc, this is how my firewall (ipchains) looks:

  # Squid: redirect local HTTP traffic to cache port
  ipchains -A input -i $LOCAL_IFACE -p tcp \
           -s $ANYWHERE -d $ANYWHERE 80 -j REDIRECT 3128

  # Squid: deny external access to cache
  ipchains -A input -i $EXTRN_IFACE -p tcp -y \
           -s $ANYWHERE -d $IPADDR 3128 -j DENY

So given these circumstances, do I really need my old port 80 access
rule? Note that $EXTRN_IFACE is my connection to the Internet, while
$LOCAL_IFACE is the one to my local network:

  # HTTP client (80)
  ipchains -A input -i $EXTRN_IFACE -p tcp ! -y \
           -s $ANYWHERE 80 -d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTRN_IFACE -p tcp \
-s $IPADDR $UNPRIVPORTS -d $ANYWHERE 80 -j ACCEPT

My reason for asking this is to simplify my ruleset by eliminating
what I hope is an superfluous rule (external client traffic through
port 80). I am not running an externally-accessible Web server. Any
advice on this?

Thank you.

*** Steve Snyder ***
Received on Sun Feb 27 2000 - 05:54:58 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:51:35 MST