Re: deny !Safe_ports, any critical reasons? (abuse..)

From: Jason Haar <[email protected]>
Date: Thu, 7 Jan 1999 14:24:01 +1300

On Thu, Jan 07, 1999 at 01:06:56AM +0200, Oskar Pearson wrote:
> The newer Squid limits this kind of stuff a lot more: you may be able to
> get away with it.... up to you. If I did enable random destination port
> access I would set up a cron script that greps for ports outside the ranges
> below every day: just so that you can keep an eye on things.
>

I did this slightly differently:

acl unsafe_ports port 1 7 9 11 13 15 17 19 20 22 23 25 26 27 37 43 53 57 70
77 79 87 88 95 101 102 103 109 110 110 111 111 113 115 117 119 123 137 138
143 144 465 563 512 513 514 515 520 526 530 531 532 540 543 544 556 600 749
750 751 754 992 993 995 989 990 442 465 563 992 993 994 995 989 990 901 1080

I basically scanned my services file for known services and told Squid not
to allow those ports - but to allow everything else.

I agree with you that the best idea is to scan your logs to see what ports
people are using...

I think this is a real nasty piece of work - for us it's not "a problem" as
only our users can use our Squid server and we trust our users ;-)

-- 
Cheers
Jason Haar
Unix/Network Specialist, Trimble NZ
Phone: +64 3 3391 377 Fax: +64 3 3391 417
Received on Wed Jan 06 1999 - 18:01:34 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:55 MST