I just put iptables on our squid box and noticed some very strange activity (IPs have been changed to protect the innocent): [44165032.820000] Dropped default (OUTPUT): IN= OUT=eth0 SRC=MY.PROXY.IP.ADDRESS DST=SOME.RANDOM.IP.ADDR LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=41807 DF PROTO=TCP SPT=3128 DPT=2660 WINDOW=7140 RES=0x00 ACK PSH FIN URGP=0 I have literally thousands of these where it looks like squid is actively opening connections (well trying...) to the outside world. The intervals are somewhat random (and if you really care I can extrapolate them). It has to be squid because the source port is 3128, my squid port... but it cannot be a user making the request as I have a very limited range of ports for squid to proxy. Two apps cannot use the same port unless one lets go for a bit, but squid has been up for about 2 months and doesn't release the port ever (does it?). Have I gone insane? Is there a way that squid is actually doing this? If squid is doing this is there something I can turn on to ask it why, the access log shows nothing resembling this, and the acls should stop it? Thanks for any clock cycles this gets in your brains. Pat Squid version 2.6.1-3ubuntu1.3 --- squid conf --- http_port 3128 cache_mem 10 MB memory_pools_limit 5 MB logfile_rotate 30 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic program /usr/lib/squid/ldap_auth <...> auth_param basic children 5 auth_param basic realm Squid proxy-caching web server LDAP refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 21 acl Safe_ports port 80 acl Safe_ports port 443 acl purge method PURGE acl CONNECT method CONNECT acl Password proxy_auth REQUIRED acl Localnet src 10.0.0.0/255.0.0.0 http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow Password http_access deny all http_access allow Localnet http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid emulate_httpd_log on access_log /var/log/squid/access.log cache_effective_user proxy cache_effective_group proxy --- end squid conf ---
