Re: deny !Safe_ports, any critical reasons? (abuse..)

From: Oskar Pearson <[email protected]>
Date: Thu, 7 Jan 1999 01:06:56 +0200

Hi

> Are there any real bad things (tm) users authorized to use a squid cache
> could do if I would replace the default Safe_ports acl with
> something like "acl Safe_ports 1-65535"?

Yes, though what exactly they can do depends on the version of Squid.

With older Squids (1.0) they could do anything from IRC through the server
(happend to us a few weeks ago) to forge mail.

The newer Squid limits this kind of stuff a lot more: you may be able to
get away with it.... up to you. If I did enable random destination port
access I would set up a cron script that greps for ports outside the ranges
below every day: just so that you can keep an eye on things.

> --- snip - squid.conf ---
> acl Safe_ports port 80 21 443 563 70 210 1025-65535
> http_access deny !Safe_ports
> --- snap ---
>
> xxx
> Herwig Wittmann <herwig@atnet.at>
>
> [1] Usual apologies apply if this posting should be inapropriate -
> I joined this ML two days ago, but my fellow coworkers at our isp
> want me to remove the mentioned default restriction, so I decided
> to post right now :P

Oskar

---
"Haven't slept at all. I don't see why people insist on sleeping. You feel
so much better if you don't. And how can anyone want to lose a minute -
a single minute of being alive?"				-- Think Twice
Received on Wed Jan 06 1999 - 15:39:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:55 MST