Re: [squid-users] Firewalling the Proxy

Jose Ildefonso Camargo Tolosa wrote:
> Hi!
>
> On Sat, Feb 28, 2009 at 4:43 PM, Nyamul Hassan <mnhassan_at_usa.net> wrote:
>> Hi,
>>
>> I was checking the requests to and from my proxy servers, and I noticed
>> that, while most src-port were TCP 80, 53, 443, some were very high TCP
>> ports. These high port packets would usually also be accompanied by an ICMP
>> request. Is this normal web server behaviour? In my firewall, accepting
>> src-port of TCP 80, 53, 443, or UDP 53, and ICMP, can I block all else
>> directed toward my proxy server?

No. There are no rules about what src-port can be.
Firewall dst-port that you don't want people getting access *to*.

Inbound HTTP connection accompanied by ICMP echo, sounds a lot like a
NetDB enhanced HTTP proxy (Squid?) doing best-source detection.

Amos

>
> Ok, you got me a little confused on the "src-port", maybe I'm just
> falling a slept now.
>
> Usually, the connections works like this:
>
> client (any port above 1024, depends on OS, but usually a high port)
> ---> proxy (proxy port,3128) , proxy (local port, usually high port)
> ---> Remote Web Server (80,443,....).
>
> So, you will usually see a "high port" and a "normal port" associated
> to a connection, usually the high port is the "local part" and the low
> port is the "remote end", from the point of view of the machine that
> is initiating the connection. The IP,port combination is called a
> tuple, and each connection have a "local tuple" and a "remote tuple",
> the local tuple is usually referred as the "source IP, source port",
> and use to have a high port associated with it (in the computer that
> is creating the connection, the remote end will see it reversed).
>
>> Thx in advance for your comments / suggestions.
>
> Any more info would be useful.
>
>> Regards
>> HASSAN
>>
>>
>
> c-ya!
>
> Ildefonso Camargo

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5