Re: Negative caching of access denied errors

From: Peter Polkinghorne <[email protected]>
Date: Mon, 24 May 1999 15:07:04 +0200

Greg Stark <gsstark@mit.edu> said:
> Reuben Farrelly <reuben-squid@mira.net> writes:

> > You'll need to add 81 to the list of "safe ports" in your
> squid.conf

> Indeed, as several people pointed out. It seems the debian default
> config only lists 1025-5000 and a few ports under that. I have no
> idea why there should be any distinction between privileged and
> unprivileged ports (indeed it seems the security people would be more
> anxious about tunnelling to unprivileged ports).

This is a UNIXism - but quite reasonable to restrict who can start services
on the "well known ports" - which are mostly under 1024. Obviously what is
running on what remote port is not under your control and should not be
relied on.

> <rant>

> And I really hope nobody runs production proxies configured to
> disallow random ports. If so you seriously degrade service to people
> using your proxies. Web sites can and do use any random ports they
> please, and there's absolutely no reason they shouldn't.

Why should they use random port numbers - while it is true URLs can tell
you to go to random port numbers, TCP applications are usually found via
well known port numbers - after all email does NOT encode the port number,
it is just the well known SMTP one of 25.

> If you're afraid of people tunnelling other traffic through your
> proxy then you can't run a proxy, restricting by ports doesn't stop
> the black hats but does seriously affect users. Yet another case of
> security people valuing dubious security through obscurity over
> essential functionality. Hmph.

Well obviously you can have dangerous ports acl to stop tunneling to other
services. As far as we are concerned we use dangerous ports, partly because
people can go direct (with few exceptions such as SMTP) and we do not wish to
have people anonimised. Our users have not complained.

But the important point is that Squid gives you the choice of what to do.

So stay calm :-)

-- 
-----------------------------------------------------------------------------
| Peter Polkinghorne, Computer Centre, Brunel University, Uxbridge, UB8 3PH,|
| Peter.Polkinghorne@brunel.ac.uk   +44 1895 274000 x2561       UK          |
-----------------------------------------------------------------------------
Received on Mon May 24 1999 - 08:09:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:24 MST