[squid-users] Config seems to allow CONNECT to privileged ports

From: Ralf Hildebrandt <[email protected]>
Date: Thu, 22 May 2003 10:38:30 +0200

Our config (below) seems to allow access to privileged ports. Proof:
$ telnet 192.168.220.204 888
Trying 192.168.220.204...
Connected to 192.168.220.204.
Escape character is '^]'.
CONNECT postamt1.charite.de:22 HTTP/1.0

HTTP/1.0 Connection established

SSH-1.99-OpenSSH_3.1p1

---------------
What needs to be changed?

http_port 888
icp_port 3130
htcp_port 4827
cache_peer spidergirl.charite.de sibling 888 3130 proxy-only
cache_peer spiderman.charite.de sibling 888 3130 proxy-only
cache_peer_domain spidergirl.charite.de .de
cache_peer_domain spiderman.charite.de !.de
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex u-berlin.de cgi-bin \? .asp .ASP
no_cache deny QUERY
cache_mem 1000 MB
maximum_object_size 65536 KB
cache_dir diskd /squid-cache0 16000 256 256
cache_dir diskd /squid-cache1 16000 256 256
cache_swap_log /squid-data/content/cache_swap_log
ftp_user Squid@charite.de
ftp_list_width 80
redirect_children 20
request_body_max_size 10 MB
refresh_pattern -i \.gif$ 600 50% 40320
refresh_pattern -i \.jpe?g$ 600 50% 40320
refresh_pattern -i \.tif?f$ 600 50% 40320
refresh_pattern -i \.png$ 600 50% 40320
refresh_pattern -i \.mov$ 600 50% 40320
refresh_pattern -i \.qt$ 600 50% 40320
refresh_pattern -i \.avi$ 600 50% 40320
refresh_pattern -i \.mpe?g$ 600 50% 40320
refresh_pattern -i \.wav$ 600 50% 40320
refresh_pattern -i \.au$ 600 50% 40320
refresh_pattern -i \.aif?f$ 600 50% 40320
refresh_pattern -i \.ps$ 360 30% 40320
refresh_pattern -i \.pdf$ 360 30% 40320
refresh_pattern -i \.gz$ 360 30% 40320
refresh_pattern -i \.Z$ 360 30% 40320
refresh_pattern -i \.zip$ 360 30% 40320
refresh_pattern . 180 30% 20160
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl NotebookRFrey src 193.175.68.130
http_access allow manager NotebookRFrey
acl NotebookKDS src 193.175.68.66
http_access allow manager NotebookKDS
acl PCG src 141.42.111.84 193.175.68.240
http_access allow manager PCG
acl UWP src 193.175.68.128
http_access allow manager UWP
acl proxy_hosts dst 192.168.220.201/255.255.255.255 193.175.73.201/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 23 80 82 83 21 70 210 322 443 554 563 581 1025-5999 6001-65535
acl Dangerous_ports port 7 9 19
acl CONNECT method CONNECT
acl POST method POST
acl proxy_port port 888
acl localhost src 127.0.0.1/255.255.255.255
http_access allow localhost
acl in_gesperrte_hosts src 172.20.100.0/255.255.255.0 172.21.100.0/255.255.255.0 172.22.100.0/255.255.255.0 172.23.100.0/255.255.255.0 172.24.100.0/255.255.255.0 172.25.100.0/255.255.255.0 172.27.100.0/255.255.255.0 172.30.100.0/255.255.255.0 172.31.100.0/255.255.255.0 141.42.89.0/255.255.255.0
acl modem_hosts src 172.26.0.0/255.255.0.0
acl modem_allowed_hosts dst 193.175.72.0/255.255.255.0 141.42.111.66/255.255.255.255 192.168.168.229/255.255.255.255 141.42.111.222/255.255.255.255 193.175.66.246/255.255.255.255 141.42.111.28/255.255.255.255 141.42.47.57/255.255.255.255 141.42.111.221/255.255.255.255 193.175.66.249/255.255.255.255
acl modem_denied_hosts dst 141.42.0.0/255.255.0.0 193.175.64.0/255.255.248.0 193.175.75.0/255.255.255.0 192.168.0.0/255.255.0.0 172.16.0.0/255.240.0.0
acl modem_allowed_rest dst 0.0.0.0/0.0.0.0
http_access allow modem_hosts modem_allowed_hosts
http_access deny modem_hosts modem_denied_hosts
http_access allow modem_hosts modem_allowed_rest
acl out_gesperrte_hosts dstdomain skyinet.net
acl FTP proto FTP
acl PUT method PUT
http_access deny FTP PUT
http_access deny in_gesperrte_hosts
http_access deny out_gesperrte_hosts
acl worm urlpath_regex -i \.eml$
http_access deny worm
acl nws urlpath_regex -i \.nws$
http_access deny nws
acl charite-hosts src 141.42.0.0/255.255.0.0
http_access allow charite-hosts
acl virchow-hosts src 193.175.64.0/255.255.248.0 193.175.75.0/255.255.255.0
http_access allow virchow-hosts
acl private-name src 192.168.0.0/255.255.0.0 172.16.0.0/255.240.0.0
http_access allow private-name
acl charite-buch src 194.94.4.0/255.255.254.0 193.175.174.0/255.255.255.0
http_access allow charite-buch
acl hamann src 141.14.154.130 141.14.154.131 141.14.154.132 141.14.154.133 141.14.154.134
http_access allow hamann
acl niesen src 141.14.150.10
http_access allow niesen
acl steinhoff src 141.14.19.53
http_access allow steinhoff
acl herzel src 141.20.65.183
http_access allow herzel
acl pgeorgie src 195.96.247.135
http_access allow pgeorgie
acl bioinf src 193.175.74.65
acl ncbi dst 130.14.29.110
http_access allow bioinf ncbi
acl CACHES src spiderman.charite.de spidergirl.charite.de spiderboy.charite.de
acl CGI urlpath_regex cgi \?
icp_access allow CACHES !CGI
http_access deny all
cache_mgr fw-admin@charite.de
visible_hostname spiderboy.charite.de
logfile_rotate 0
forwarded_for off
icp_hit_stale on
cachemgr_passwd all none
store_avg_object_size 8 KB
error_directory /usr/share/squid/errors/German
snmp_port 3401
acl snmphost src 193.175.68.253/255.255.255.255
snmp_access allow snmphost
snmp_access deny !snmphost

-- 
Ralf Hildebrandt (Im Auftrag des Referat V a)   Ralf.Hildebrandt@charite.de
Charite Campus Mitte                            Tel.  +49 (0)30-450 570-155
Referat V a - Kommunikationsnetze -             Fax.  +49 (0)30-450 570-916
AIM: ralfpostfix
Received on Thu May 22 2003 - 02:38:44 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:51 MST