Re: [squid-users] squid hardening - weird behaviour from Amos Jeffries on 2007-10-11 (squid-users)

From: Amos Jeffries <squid3@dont-contact.us>
Date: Fri, 12 Oct 2007 12:31:12 +1300 (NZDT)

> Hello,
>
> i`m somewhat new to squid "in depth" configuration and need some advice.
>
> i run an older squid release on a multi-homed system which connects to the
> internet on the first interface,
> to the local net (10.0.0.0) on the second interface (10.0.0.1)
>
> for hardening purpose i configured squid to bind to internal interface
> only (10.0.0.1:3128) and disabled
> all additional ports (icp_port etc.)
>
> now, there is one open port left and i`m not sure what`s the purpose of
> this:
>
> udp 0 0 0.0.0.0:34806 0.0.0.0:* 6593/(squid)
>
> why does squid listen to udp requests ?

- maybe pinger. Sends/accepts ICMP to measure traffic flows for balancing.
- maybe DNS. squid needs to resolve destination addresses. It uses
DNS-UDP for this.

squidclient mgr:filedescriptors
will give you a list of all sockets and pipes squid has currently open and
which module is using it.
For sockets open to requests it lists the remote hostname from the request.

> there seems a relation to this params:
>
> # udp_incoming_address 0.0.0.0
> # udp_outgoing_address 255.255.255.255
>
> but if i bind udp port to internal interface, squid won`t resolve names
> anymore.
>
> why this?

The squid.conf docs are bad. These settings are used by ICP, HTCP, syslog,
and DNS.
They set the ADDRESS used to send/receive those types of traffic. Each
have their own port separate from these settings.

You may set it to the internal facing public address of your network for
extra security.
BUT, your internal services (DNS resolver, syslogd, ICP/HTCP peers) need
to be able to communicate with the address(es).
Specifically for DNS, resolv.conf needs to only contain NS that can talk
to that address.

>
> squid.conf is telling, that this params ar for icp sockets, not for dns
>
> # udp_incoming_address is used for the ICP socket receiving packets
> # from other caches.
> # udp_outgoing_address is used for ICP packets sent out to other
> # caches.
>
> any hints how to disable this port for listening or binding to internal
> interface only ?

Locate the module using it and check the options for that module.

>
> would it help if i update to most recent squid release ?

If you are after paranoid security. The latest stable release of 2.6.
There are a security advisories out for releases as recent as 2.6s11. Some
potential loopholes we have fixed as recently as 2.6s17.

Amos
Received on Thu Oct 11 2007 - 17:31:15 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT