Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
RE: [suse-security] Limit Squid Port Range
- From: Boris Lorenz <bolo@xxxxxxx>
- Date: Tue, 13 Nov 2001 12:48:58 +0100 (CET)
- Message-id: <XFMail.011113124858.bolo@xxxxxxx>
Hi,
On 12-Nov-01 d_lord@xxxxxx wrote:
> Hi list,
>
> maybe my question is a bit stupid but I can't find
> a useful answer myself (usual way FAQ, google....).
> So let's have a look if YOU know more about this *gg*.
>
> I have set up a ipchains script. Default deny all.
> I don't want squid to go through the whole port range
> 1024-65355 but limit the use on ports from 1024:3120
> I've tried different ACL's and non of them worked for me.
> Now I think there should be another option but I just
> can't find it :-(
>
> My squid is Version 2.4
> ipchains Version 1.3.10
>
> Output Rule:
> ipchains -A output -i $EXT -p tcp -s $EXTIP 1024:3120 --dport 80 -j ACCEPT
>
> All works fine till squid tries to use port 3121 :-(
>
> Now I get those ugly messages in /var/log/messages
> ..kernel: Packet log: output DENY eth0 Proto=6 IP1:Port>3120 IP2:80....
>
> init 1 and back is the only option I know to get rid of this
> without opening the firewall.
>
> I would be glad if you know a fix for this problem
with Squid's ACLs, you can assign safe_ports for the cache to use.
Take a look at Squid's online documentation:
http://squid.visolve.com/squid24s1/access_controls.htm#acl
> D. Lord
Boris Lorenz <bolo@xxxxxxx>
---
On 12-Nov-01 d_lord@xxxxxx wrote:
> Hi list,
>
> maybe my question is a bit stupid but I can't find
> a useful answer myself (usual way FAQ, google....).
> So let's have a look if YOU know more about this *gg*.
>
> I have set up a ipchains script. Default deny all.
> I don't want squid to go through the whole port range
> 1024-65355 but limit the use on ports from 1024:3120
> I've tried different ACL's and non of them worked for me.
> Now I think there should be another option but I just
> can't find it :-(
>
> My squid is Version 2.4
> ipchains Version 1.3.10
>
> Output Rule:
> ipchains -A output -i $EXT -p tcp -s $EXTIP 1024:3120 --dport 80 -j ACCEPT
>
> All works fine till squid tries to use port 3121 :-(
>
> Now I get those ugly messages in /var/log/messages
> ..kernel: Packet log: output DENY eth0 Proto=6 IP1:Port>3120 IP2:80....
>
> init 1 and back is the only option I know to get rid of this
> without opening the firewall.
>
> I would be glad if you know a fix for this problem
with Squid's ACLs, you can assign safe_ports for the cache to use.
Take a look at Squid's online documentation:
http://squid.visolve.com/squid24s1/access_controls.htm#acl
> D. Lord
Boris Lorenz <bolo@xxxxxxx>
---
| < Previous | Next > |