Paul Cocker wrote:
> The first three http_access lines in my squid.conf file look like this:
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
>
> Yet if I try and connect to http://bbc.co.uk:16825 I get a Connection
> Timed Out error not an Access Denied one. Isn't it the later I should be
> expecting to see, assuming 16825 is not listed in the Safe_ports ACL?
Assuming its not listed that would be a problem. However I bet you have
the default Safe_Ports listing?
That default includes the range 1024-65536 as 'safe'. In networking
security context the dangerous ports are the 0-1024 range which are all
commonly used for public services. While ports outside that small set
may in reality be unsafe sometimes, its not good to assume that
everywhere all the time, since ports over 1024 are randomly assigned on
new most new connections.
What Safe_Ports means to squid is a list of ports where are _probably_
safe. So blocking everything omitted from that list is a Good Idea(tm).
Amos
-- Please use Squid 2.7.STABLE3 or 3.0.STABLE8Received on Tue Jul 22 2008 - 11:26:49 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 22 2008 - 12:00:04 MDT