Re: [squid-users] Limiting outgoing port range.

In short, I don't believe so. Squid isn't meant to be limited in such
ways, and I still stand firm in believing that OUTBOUND ports that get
binded to a local machine has no effect on firewalling. Only
DESTINATION ports are compared in Firewall ACL's.

>>> "Thomas Pietsch" <Shivering_at_gmx.net> 4/5/2011 3:08 AM >>>
Hey, yes i am referring to outbound ports. I know there is no speed
advantage of doing so. Its simply a security matter (firewaling, trusted
partys and so on .. ). So the proxy shall be running on the same machine
as the browser and then proxy every request and response through smth
like 20 sockets. Is this possible via squid?

-------- Original-Nachricht --------
> Datum: Mon, 04 Apr 2011 16:44:20 -0400
> Von: "Chad Naugle" <Chad.Naugle_at_travimp.com>
> An: Shivering_at_gmx.net, squid-users_at_squid-cache.org
> Betreff: Re: [squid-users] Limiting outgoing port range.

> Are you referring to Squid's OUTBOUND ports, or the DESTINATION
ports?
>
> Destination Ports could be done by stacking ACL's per a user/group
to
> specific list of ports ACL, but that's a lot of ACL stacking for
> particular users, and the result is if they are outside of the range
of
> ports, could result in a ACCESS_DENIED, depending on the requested
URL.
> Ie --
>
> acl Joe_User <code to identify "Joe">
> acl Joe_Ports port 21
> acl Joe_Ports port 80
> acl Joe_Ports port 443
> acl Joe_Ports port 8080
>
> http_access allow Joe_User Joe_Ports
> http_access deny all
>
> But I would highly doubt that directly mapping SOURCE ports would be
> theoretically possible, because, for one, Squid does not _ALWAYS_
query
> a destination, as a function of it being a cache. And two,
statically
> defining a port, or block of ports for a particular user or group
can
> squelch the amount of possible users to be able to use the proxy,
> causing it not to scale well, amongst many other technical issues
that
> can, and will only create bottlenecks.
>
> Also, selecting outbound source ports has no technical advantage /
> merit versus selecting destination ports, that I can think of.
>
>
> >>> <Shivering_at_gmx.net> 4/4/2011 4:22 PM >>>
> Hey,
> i need an HTTP proxy which synchronizes outgoing connections to a
> limited port range. For example to make only http connections via 20
> outgoing ports. Is squid able to do this with little effort? I've
> already searched the FAQ and the mail archive and only found this
> question/answer:
> http://www.mail-archive.com/squid-users@squid-cache.org/msg29951.html

> . This is six years old. So i thought i give it a new try ^^. I
> appreciate any tips.
> Best regards
> --
> GMX DSL Doppel-Flat ab 19,99 Euro/mtl.! Jetzt mit
> gratis Handy-Flat! http://portal.gmx.net/de/go/dsl
>
>
> Travel Impressions made the following annotations
> -------------------------------------------------------------
> "This message and any attachments are solely for the intended
recipient
> and may contain confidential or privileged information. If you are
not
> the intended recipient, any disclosure, copying, use, or distribution
of
> the information included in this message and any attachments is
> prohibited. If you have received this communication in error,
please
> notify us by reply e-mail and immediately and permanently delete
this
> message and any attachments.
> Thank you."

-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
Travel Impressions made the following annotations
-------------------------------------------------------------
"This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you."