>>>> "Thomas Pietsch" 4/5/2011 3:08 AM >>>
> Hey, yes i am referring to outbound ports. I know there is no speed
> advantage of doing so. Its simply a security matter (firewaling,
> trusted
> partys and so on .. ). So the proxy shall be running on the same
> machine
> as the browser and then proxy every request and response through smth
> like 20 sockets. Is this possible via squid?
On Tue, 05 Apr 2011 09:53:39 -0400, Chad Naugle wrote:
> In short, I don't believe so. Squid isn't meant to be limited in
> such
> ways, and I still stand firm in believing that OUTBOUND ports that
> get
> binded to a local machine has no effect on firewalling. Only
> DESTINATION ports are compared in Firewall ACL's.
>
Two conflicts prevent this even being considered...
TCP requires a waiting period (TCP_TIME_WAIT state in the firewall
"netstat" display) to ensure that all traffic on the Internet which
might be delayed by some routing situation does not screw up later use
of the port. Binding for example 20 ports, will not only make Squid
limited to 20 parallel requests but also limit it to 20 new connections
*per time-wait period*. the default time-wait is 5 minutes IIRC, and
firewall starts to fail if it goes down much close to a minute.
Average usage for a small home situation consumes around 1-4 per
connections second. Do the math... average web page load times around
1-2 minutes. Nobody is going to stand for that these days.
Also, in HTTP the outbound connection to servers has no relation to
inbound connections from clients. The traffic is combined, split,
rejected, served from cache or relayed on a request-by-request basis. So
from a firewall perspective if any one outbound connection by the proxy
is untrustworthy they are all suspect.
Thomas,
It is best to assign trust by the firewall to the proxy application
or the proxy low-privileged user account.
If you do go ahead with the port range limit you need to configure
the OS underneath Squid to assign only from that range, or port-map
(NAPT) the Squid outgoing connections into it. Then face the TCP effects
mentioned above.
Amos
>
> -------- Original-Nachricht --------
>> Datum: Mon, 04 Apr 2011 16:44:20 -0400
>> Von: "Chad Naugle"
>
>> Are you referring to Squid's OUTBOUND ports, or the DESTINATION
> ports?
>>
>> Destination Ports could be done by stacking ACL's per a user/group
> to
>> specific list of ports ACL, but that's a lot of ACL stacking for
>> particular users, and the result is if they are outside of the range
> of
>> ports, could result in a ACCESS_DENIED, depending on the requested
> URL.
>> Ie --
>>
>> acl Joe_User <code to identify "Joe">
>> acl Joe_Ports port 21
>> acl Joe_Ports port 80
>> acl Joe_Ports port 443
>> acl Joe_Ports port 8080
>>
>> http_access allow Joe_User Joe_Ports
>> http_access deny all
>>
>> But I would highly doubt that directly mapping SOURCE ports would be
>> theoretically possible, because, for one, Squid does not _ALWAYS_
> query
>> a destination, as a function of it being a cache. And two,
> statically
>> defining a port, or block of ports for a particular user or group
> can
>> squelch the amount of possible users to be able to use the proxy,
>> causing it not to scale well, amongst many other technical issues
> that
>> can, and will only create bottlenecks.
>>
>> Also, selecting outbound source ports has no technical advantage /
>> merit versus selecting destination ports, that I can think of.
>>
>>
>> >>> <Shivering_at_gmx.net> 4/4/2011 4:22 PM >>>
>> Hey,
>> i need an HTTP proxy which synchronizes outgoing connections to a
>> limited port range. For example to make only http connections via 20
>> outgoing ports. Is squid able to do this with little effort? I've
>> already searched the FAQ and the mail archive and only found this
>> question/answer:
>>
>> http://www.mail-archive.com/squid-users@squid-cache.org/msg29951.html
>
>> . This is six years old. So i thought i give it a new try ^^. I
>> appreciate any tips.
>> Best regards
Received on Tue Apr 05 2011 - 23:37:41 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 06 2011 - 12:00:03 MDT