Re: [SQU] Access Denied

From: Duane Wessels <wessels@dont-contact.us>
Date: Wed, 1 Nov 2000 14:19:07 -0700 (MST)

On Wed, 1 Nov 2000, Thomas Hettick wrote:

> Hi,
> I have an issue with a website that Squid is not allowing one of my users
> to go to. This is the website:
> http://www.avweb.com:81/common/msg/srchmsgs.cgi
>
> It doesn't seem to like the :81 part does anyone have an idea of what is
> going on. Here is the message I get when accessing the site:

  10.14. Why does Squid deny some port numbers?

  It is dangerous to allow Squid to connect to certain port numbers.
  For example, it has been demonstrated that someone can use Squid as an
  SMTP (email) relay. As I'm sure you know, SMTP relays are one of the
  ways that spammers are able to flood our mailboxes. To prevent mail
  relaying, Squid denies requests when the URL port number is 25. Other
  ports should be blocked as well, as a precaution.

  There are two ways to filter by port number: either allow specific
  ports, or deny specific ports. By default, Squid does the first.
  This is the ACL entry that comes in the default squid.conf:

          acl Safe_ports port 80 21 443 563 70 210 1025-65535
          http_access deny !Safe_ports

  The above configuration denies requests when the URL port number is
  not in the list. The list allows connections to the standard ports
  for HTTP, FTP, Gopher, SSL, WAIS, and all non-priveleged ports.

  Another approach is to deny dangerous ports. The dangerous port list
  should look something like:

          acl Dangerous_ports 7 9 19 22 23 25 53 109 110 119
          http_access deny Dangerous_ports

  Please consult the /etc/services file on your system for a list of
  known ports and protocols.

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Nov 01 2000 - 14:21:06 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:13 MST