The default Safe_ports ACL allows a few low (below 1025) ports, and
allows the unprivileged ports above
1024. I'm preparing to roll out a squid cache for use in a
university environment and had planned to use
that ACL pretty much as it was, except...
In testing I was denied access by my squid cache when trying to
follow a web link; turns out the web server at the
destination was at port 81. I don't suspect that lower numbered
ports as http: servers (other than the typical 80) are
all that common, and yet every time someone tries to get to one of
these and gets denied by the cache (and gripes
about it) it'll be my problem, and I'll probably have to allow these
atypical ports as they come up and cause probs.
Looking at the squid FAQ*, they say you can instead choose to be more
permissive, allow all ports minus those
specifically denied, something like:
acl Dangerous_ports 7 9 19 22 23 25 53 109 110 119
http_access deny Dangerous_ports
But it has the disclaimer that one should consult /etc/services and
make up your own Dangerous_ports ACL, which
I don't feel I'd be qualified to know all the pitfalls as they relate
to proxying in that list of services below 1025.
Can any of you using such an approach (allow http_access to
everything minus a few denied ports) let me know if
you've used the Dangerous_ports ACL out of the FAQ, or if it in
reality needs to include other ports? The squid box
will be busy enough without having to relay the world's (or the
university's) spam or malware :-)
Thanks!
* best FAQ around, hugely useful. Thanks to everyone who made that
available
