Re: [squid-users] squid hardening - weird behaviour

> > weird, i don`t see any listeing socket with squidclient - i would have expected 3128 and 34810 here !?
>
> So did I. Mine shows them. Should have 0.0.0.0.0 (last .0 is port).
> Maybe it is slightly different in 2.x than 3.0 in this regard.

yes, seems so.
i updated to latest release and now i see

Active file descriptors:
File Type Tout Nread * Nwrite * Remote Address Description
---- ------ ---- -------- -------- --------------------- ------------------------------
   0 Log 0 0 0 stdin
   1 Log 0 0 0 stdout
   2 Log 0 0 0 stderr
   3 Log 0 0 0 /usr/local/squid/var/logs/cache.log
   6 Socket 0 603 353 .0 DNS Socket
   7 File 0 0 8828 /usr/local/squid/var/logs/access.log
   8 Pipe 0 0 0 unlinkd -> squid
   9 File 0 0 2607 /usr/local/squid/var/logs/store.log
  10 File 0 0 104 /usr/local/squid/var/cache/swap.state
  11 Pipe 0 0 0 squid -> unlinkd
  12 Socket 1440 70 0* 10.0.0.60.38093 Reading next request
  13 Socket 0 0 0 .0 HTTP Socket
  17 Socket 0 2667* 44096 10.0.0.10.2531 Waiting for next request

vmhost:/usr/local/squid/bin # netstat -anp |grep squid
tcp 0 0 10.0.0.60:3128 0.0.0.0:* LISTEN 8552/squid
udp 0 0 0.0.0.0:34838 0.0.0.0:* 8552/squid
unix 2 [ ] DGRAM 393925789 8552/squid

> Anyway, despite the missing port numbers:
> cache_object://... is squidclient getting the list itself
> that leaves only DNS and HTTP listener TCP/UDP Sockets
> and the two unlinkd pipes (listed as unix by netstat).
>
> So it does appear to be DNS.
>
> Squid will drop any packets received from NS not listed either in
> dns_nameservers in squid.conf, or in resolv.conf as your local ones.

so, let me repeat:
squid is opening an extra upd socket for ICP,HTCP, syslog and DNS.
udp_incoming_address and udp_outgoing_address are relevant config
params for this.

we can`t get rid of this port because we would break DNS for squid.

#udp_incoming_address is used for the ICP socket receiving packets
# from other caches.

So this is just half of the truth because it is relevant not only for ICP, but
for DNS, too , correct ?
should "we" fix this in the docs ? (unfortunately, i cannot give much input)

btw - any reason why squid doesn`t use host resolver routines for DNS lookup ?
(i.e. something like gethostbyname() etc, so this would also get cached by nscd ....)

regards
Roland
__________________________________________________________________________
Erweitern Sie FreeMail zu einem noch leistungsstärkeren E-Mail-Postfach!
Mehr Infos unter http://produkte.web.de/club/?mc=021131
Received on Fri Oct 12 2007 - 15:36:10 MDT