Yes, I too have been reading these things asking myself why one would allow users such open access. One reason, of course, is that it is difficult to allow some http but not other, so if the port is 80, it pretty much has to be OK. So how would squid (or anything else except perhaps Level 7) know that this particular connection is A Bad Thing?
One word, er name, Squid (Caching Proxy). Squid is *WONDERFUL* Squid has saved my life *SO* many times. The ACL system, though difficult to understand at first, is extremely flexible and easy to work with once you get down Squid's syntax. I can easily define an ACL as such:
acl my_acl_name dstdomain .domain_I_dont_like.tld http_access deny my_acl_name
Squid works completely inside of the HTTP (layer 7) protocol, or FTP protocol, or many other protocols. These are just some of the benefits of using an application layer gateway.
I have been successful at limiting the number of FTP connections per user using iptables' connlimit and helper. That's where I'd start. And if three turned out to be too many, I'd reduce connlimit to 2 for HTTP and 1 for FTP. iptables -N HTTP iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A HTTP -j RETURN
If the traffic that you are trying to connlimit is internal to your LAN I would recommend that you REJECT the traffic as this will prevent the client user agents from having to time out.
iptables -A FORWARD -p tcp --dport 80 -j HTTP iptables -A FORWARD -p tcp --sport 80 -j HTTP iptables -A FORWARD -m helper --helper ftp -j HTTP
In conjunction with my ACL (posted here a while back; it limits specific users to specific ports), the above would not be total deny, but it sure would put a dent in abuse.
Grant. . . . _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
