Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
RE: [suse-security] Limit Squid Port Range
- From: "Andreas Achtzehn" <suse-security@xxxxxxxxxxxxxxx>
- Date: Tue, 13 Nov 2001 17:53:53 +0100
- Message-id: <000901c16c63$c7685470$0100a8c0@paris>
> From: d_lord@xxxxxx [mailto:d_lord@xxxxxx]
> Hi list,
>
> maybe my question is a bit stupid but I can't find
> a useful answer myself (usual way FAQ, google....).
> So let's have a look if YOU know more about this *gg*.
>
> I have set up a ipchains script. Default deny all.
> I don't want squid to go through the whole port range
> 1024-65355 but limit the use on ports from 1024:3120 I've
> tried different ACL's and non of them worked for me. Now I
> think there should be another option but I just can't find it :-(
>
> My squid is Version 2.4
> ipchains Version 1.3.10
>
> Output Rule:
> ipchains -A output -i $EXT -p tcp -s $EXTIP 1024:3120 --dport
> 80 -j ACCEPT
>
How do you like this idea?
ipchains -A input -i $EXT -p tcp ! --syn --dport 1024:4999 -j ACCEPT
Now it's not possible to open a new connection to a port between 1024
and 4999. Why should you want to limit your outgoing port range?
Regards, Andreas
> Hi list,
>
> maybe my question is a bit stupid but I can't find
> a useful answer myself (usual way FAQ, google....).
> So let's have a look if YOU know more about this *gg*.
>
> I have set up a ipchains script. Default deny all.
> I don't want squid to go through the whole port range
> 1024-65355 but limit the use on ports from 1024:3120 I've
> tried different ACL's and non of them worked for me. Now I
> think there should be another option but I just can't find it :-(
>
> My squid is Version 2.4
> ipchains Version 1.3.10
>
> Output Rule:
> ipchains -A output -i $EXT -p tcp -s $EXTIP 1024:3120 --dport
> 80 -j ACCEPT
>
How do you like this idea?
ipchains -A input -i $EXT -p tcp ! --syn --dport 1024:4999 -j ACCEPT
Now it's not possible to open a new connection to a port between 1024
and 4999. Why should you want to limit your outgoing port range?
Regards, Andreas
| < Previous | Next > |