If your client PCs are set up to use your proxy for http (protocol) requests,
then **any** url that starts with http:// will be sent to the proxy despite
what port follows that URL (eg: http://www.somewebhost.com:10000 )
In your case your clients may not have any proxy settings as you are using a
firewall to redirect traffic pased upon destination port (and not protocol)
therefore in your case it may be true to say that the Safe_ports acl performs
no function (that is until you set the proxy settings in your client PCs)
Regards,
Rob Hadfield
Quoting GBloomberg <fin.ack@gmail.com>:
> Hello,
>
> I have a 2 interface Linux router/firewall. Eth0 public, Eth1 private
> lan. Squid is installed and running/listening on Eth1 via tcp 3128. I
> have a firewall REDIRECT rule that redirects all outgoing
> "private_lan" port 80 traffic to tcp 3128. This works great.
>
> After reading through the ACL faq's I'm still confused as to **why**
> there is a need for the "Safe_ports" acl elements declared by default
> in "squid.conf"?
> I was under the assumption that **by default** Squid proxies port 80
> traffic and thats it unless otherwise specified? My firewall only
> allows the following out to the internet anyways.
> udp 53
> tcp 20,21,22,25,80,110,443
>
> So I'm assuming there's a good reason to have these defaults but I
> don't see why when clients will only be redirected to Squid through
> port 80. They go around Squid for all other ports. I could make a few
> logical guesses as to why this set the way it is but I wanna be sure
> that I'm not missing something else fundamental.
>
>
> [code]
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> [/code]
>
> Thanks
>
Received on Tue Jul 20 2004 - 23:37:44 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT