Pat Riehecky wrote: > I just put iptables on our squid box and noticed some very strange > activity (IPs have been changed to protect the innocent): > > [44165032.820000] Dropped default (OUTPUT): IN= OUT=eth0 > SRC=MY.PROXY.IP.ADDRESS DST=SOME.RANDOM.IP.ADDR LEN=40 TOS=0x00 > PREC=0x00 TTL=64 ID=41807 DF PROTO=TCP SPT=3128 DPT=2660 WINDOW=7140 > RES=0x00 ACK PSH FIN URGP=0 > > I have literally thousands of these where it looks like squid is > actively opening connections (well trying...) to the outside world. The > intervals are somewhat random (and if you really care I can extrapolate > them). > > It has to be squid because the source port is 3128, my squid port... but > it cannot be a user making the request as I have a very limited range of > ports for squid to proxy. Two apps cannot use the same port unless one > lets go for a bit, but squid has been up for about 2 months and doesn't > release the port ever (does it?). Only connections *to* squid will use port 3128. Outgoing connctions will use a random high port. Try looking at your access log to what's been accessed.
