> Hello, > > i`m somewhat new to squid "in depth" configuration and need some advice. > > i run an older squid release on a multi-homed system which connects to the > internet on the first interface, > to the local net (10.0.0.0) on the second interface (10.0.0.1) > > for hardening purpose i configured squid to bind to internal interface > only (10.0.0.1:3128) and disabled > all additional ports (icp_port etc.) > > now, there is one open port left and i`m not sure what`s the purpose of > this: > > udp 0 0 0.0.0.0:34806 0.0.0.0:* 6593/(squid) > > why does squid listen to udp requests ? - maybe pinger. Sends/accepts ICMP to measure traffic flows for balancing. - maybe DNS. squid needs to resolve destination addresses. It uses DNS-UDP for this. squidclient mgr:filedescriptors will give you a list of all sockets and pipes squid has currently open and which module is using it. For sockets open to requests it lists the remote hostname from the request. > there seems a relation to this params: > > # udp_incoming_address 0.0.0.0 > # udp_outgoing_address 255.255.255.255 > > but if i bind udp port to internal interface, squid won`t resolve names > anymore. > > why this? The squid.conf docs are bad. These settings are used by ICP, HTCP, syslog, and DNS. They set the ADDRESS used to send/receive those types of traffic. Each have their own port separate from these settings. You may set it to the internal facing public address of your network for extra security. BUT, your internal services (DNS resolver, syslogd, ICP/HTCP peers) need to be able to communicate with the address(es). Specifically for DNS, resolv.conf needs to only contain NS that can talk to that address. > > squid.conf is telling, that this params ar for icp sockets, not for dns > > # udp_incoming_address is used for the ICP socket receiving packets > # from other caches. > # udp_outgoing_address is used for ICP packets sent out to other > # caches. > > any hints how to disable this port for listening or binding to internal > interface only ? Locate the module using it and check the options for that module. > > would it help if i update to most recent squid release ? If you are after paranoid security. The latest stable release of 2.6. There are a security advisories out for releases as recent as 2.6s11. Some potential loopholes we have fixed as recently as 2.6s17. Amos
