Limit Squid Port Range
Hi list, maybe my question is a bit stupid but I can't find a useful answer myself (usual way FAQ, google....). So let's have a look if YOU know more about this *gg*. I have set up a ipchains script. Default deny all. I don't want squid to go through the whole port range 1024-65355 but limit the use on ports from 1024:3120 I've tried different ACL's and non of them worked for me. Now I think there should be another option but I just can't find it :-( My squid is Version 2.4 ipchains Version 1.3.10 Output Rule: ipchains -A output -i $EXT -p tcp -s $EXTIP 1024:3120 --dport 80 -j ACCEPT All works fine till squid tries to use port 3121 :-( Now I get those ugly messages in /var/log/messages ..kernel: Packet log: output DENY eth0 Proto=6 IP1:Port>3120 IP2:80.... init 1 and back is the only option I know to get rid of this without opening the firewall. I would be glad if you know a fix for this problem D. Lord -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
maybe my question is a bit stupid but I can't find a useful answer myself (usual way FAQ, google....). So let's have a look if YOU know more about this *gg*.
I have set up a ipchains script. Default deny all. I don't want squid to go through the whole port range 1024-65355 but limit the use on ports from 1024:3120 I've tried different ACL's and non of them worked for me. Why do you want this? standard port range is 1024:4999 (cat /proc/sys/net/ipv4/ip_local_port_range), you can change this by doing echo "32000 59000" > /proc/sys.../ip_local_port_range This is default TCP/IP behaviour, it seems you don't really know about tcp/ip, so don't change this.
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Hi, On 12-Nov-01 d_lord@gmx.de wrote:
Hi list,
maybe my question is a bit stupid but I can't find a useful answer myself (usual way FAQ, google....). So let's have a look if YOU know more about this *gg*.
I have set up a ipchains script. Default deny all. I don't want squid to go through the whole port range 1024-65355 but limit the use on ports from 1024:3120 I've tried different ACL's and non of them worked for me. Now I think there should be another option but I just can't find it :-(
My squid is Version 2.4 ipchains Version 1.3.10
Output Rule: ipchains -A output -i $EXT -p tcp -s $EXTIP 1024:3120 --dport 80 -j ACCEPT
All works fine till squid tries to use port 3121 :-(
Now I get those ugly messages in /var/log/messages ..kernel: Packet log: output DENY eth0 Proto=6 IP1:Port>3120 IP2:80....
init 1 and back is the only option I know to get rid of this without opening the firewall.
I would be glad if you know a fix for this problem
with Squid's ACLs, you can assign safe_ports for the cache to use. Take a look at Squid's online documentation: http://squid.visolve.com/squid24s1/access_controls.htm#acl
D. Lord
Boris Lorenz
with Squid's ACLs, you can assign safe_ports for the cache to use. safe_ports is only the list of ports, squid is allowed to connect TO. (destination). This is still useful, because there have been vulnerabilities, that could have been prevented by filtering destination ports.
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
From: d_lord@gmx.de [mailto:d_lord@gmx.de] Hi list,
maybe my question is a bit stupid but I can't find a useful answer myself (usual way FAQ, google....). So let's have a look if YOU know more about this *gg*.
I have set up a ipchains script. Default deny all. I don't want squid to go through the whole port range 1024-65355 but limit the use on ports from 1024:3120 I've tried different ACL's and non of them worked for me. Now I think there should be another option but I just can't find it :-(
My squid is Version 2.4 ipchains Version 1.3.10
Output Rule: ipchains -A output -i $EXT -p tcp -s $EXTIP 1024:3120 --dport 80 -j ACCEPT
How do you like this idea? ipchains -A input -i $EXT -p tcp ! --syn --dport 1024:4999 -j ACCEPT Now it's not possible to open a new connection to a port between 1024 and 4999. Why should you want to limit your outgoing port range? Regards, Andreas
participants (4)
-
Andreas Achtzehn -
Boris Lorenz -
d_lord@gmx.de -
Markus Gaugusch