Hi Henrik,
Thank you for the review of rules and access lists.
For several reasons I prefer to keep
my cache available to me wherever I am in the world.
It's nice to have a reference implementation available
to me when I'm working a squid problem at work.
And it's nice to be able to proxy my way around my
employer's porn filter on occaision.
And it would be nice to be able to relay email
through my box at home with no special configuration
necessary on the client's machine. Like when my idiot
uncle can't remember his provider's email address and
I need to get the situation tested and done so I can move
on to the next thing.
What is the exact nature of the exploit?
I've seen the term "HTTP_CONNECT method" but no real
detailed explanation.
Is this exploit a carefully crafted packet?
Is this exploit a buffer overrun in nature?
I need to know who owns the problem in order to
stop the abuse at the lowest level while still maintaining
the ability to use the cache no matter where I am.
HN> b) Only allow proxying to well known services. DO NOT delete the default
HN> Safe_ports or SSL_Ports filter rules designed to block most spammer
HN> abuses of the proxy (these denies abuse of the HTTP proxy to send SMTP
HN> email, connect to IRC etc).
I'll recheck my config and make sure I haven't accidentally undone something.
HN> c) Quite often the use of authentication is recommended.
This might make the most sense with the idea of keeping the
proxy available to me.
Thx again for the quality answers.
Received on Sun Dec 29 2002 - 10:06:58 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:14 MST