[squid-users] (Firewall) How to filter icp packets?

From: Roberto Inzerillo <[email protected]>
Date: Wed, 3 Apr 2002 17:25:34 +0200 (MEST)

Hi all,
 I'm setting up two strong iptables linux firewalls in order to share two
single ADSL external lines with a lan that should be prevented from external
(and internal) attacks.
On both Firewalls I run a caching Squid-proxy, in order to serve the LAN
from both external connection, on port 3128 (icp: 3130) in a load balancing way.
I wish to create a good sibling hierarchy, but I want to prevent any
malicious usage, both from the LAN and from the external web.
That's why I use an iptables firewall which policies are DROP for INPUT,
OUTPUT and FORWARD.
It seems to work correctly for inner to outside http/s (via proxy), dns,
ping, but inner sibling goes broken. I don't succed in well restricting UDP
connection in the LAN without breaking communications between the two
Squid-caches. I always get "found DEAD sibling" on my cache.log short after I start the
firewall script. It works great wihout, but is useless if I use my filtering
script.
I used to accept all outgoing and incoming udp traffic between the two Squid
hosts on port 3130 but it seems not to be enough.

I'm a little confused, so I'm trying now to better understand how ICP works
for cache_peering ... but ... there is so few documentation out there and ICP
packet filtering doesn't seem to be very interesting on the net (I tryed
google.com, deja.com and so on without finding conclusive discussions about
that).

Is there anyone who can point me to a "ICP explained" style discussion about
such communication standard?

The only thing I find is that UDP packets (ICP are UDP packets, right?) are
not connection oriented.
There is a little iptables tutorial explaining that iptables uses the state
machine for UDP too. Assuming eth0 is internal interface of Proxy1,
192.168.1.1 is Proxy1, 192.168.1.2 is Proxy2, It meens that it could be firewalled
this way (I write here just the ICP relating part):
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A OUTPUT -o eth0 -s 192.168.1.1 -d 192.168.1.2 -p udp -sport 3130
-j ACCEPT
iptables -A INPUT -i eth0 -d 192.168.1.1 -s 192.168.1.2 -p udp -dport 3130
-m state --state ESTABLISHED,RELATED -j ACCEPT

or maybe:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A OUTPUT -o eth0 -s 192.168.1.1 -d 192.168.1.2 -p udp -sport 3130
-j ACCEPT
iptables -A INPUT -i eth0 -d 192.168.1.1 -s 192.168.1.2 -p udp -dport 3130
-j ACCEPT

And the specular script on Proxy2.
So unusefull UDP packets will be dropped (strong security).

Any comments? Hints? Suggestions?
    they're all wellcome,
            thank you guys,
                     Roberto Inzerillo

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
Received on Wed Apr 03 2002 - 08:25:37 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:20 MST