Hello Amos, many thanks for your hints! very valuable! > squidclient mgr:filedescriptors > will give you a list of all sockets and pipes squid has currently open and > which module is using it. here is the output from my system: Active file descriptors: File Type Tout Nread * Nwrite * Remote Address Description ---- ------ ---- -------- -------- --------------------- ------------------------------ 3 Log 0 0 0 /var/log/squid/cache.log 5 Socket 0 2625 1393 .0 DNS Socket 6 File 0 0 52767 /var/log/squid/access.log 7 Pipe 0 0 0 unlinkd -> squid 8 File 0 0 47879 /var/log/squid/store.log 9 File 0 0 5904 /var/cache/squid/swap.state 10 Pipe 0 0 0 squid -> unlinkd 11 Socket 1440 70* 0 10.0.0.1.37335 cache_object://10.0.0.1/filedescriptors 12 Socket 0 0* 0 .0 HTTP Socket vmhost:~ # netstat -anp |grep squid tcp 0 0 10.0.0.60:3128 0.0.0.0:* LISTEN 6408/(squid) udp 0 0 0.0.0.0:34810 0.0.0.0:* 6408/(squid) unix 2 [ ] DGRAM 393012150 6406/squid unix 2 [ ] DGRAM 393012149 6408/(squid) weird, i don`t see any listeing socket with squidclient - i would have expected 3128 and 34810 here !? > > would it help if i update to most recent squid release ? > > If you are after paranoid security. The latest stable release of 2.6. > There are a security advisories out for releases as recent as 2.6s11. Some > potential loopholes we have fixed as recently as 2.6s17. mh, maybe the version i`m using is just too old. i think i will update for features/bugfixes and compare. if i use squid only from internal network, and close all ports to the outside, an update because of security doesn`t really matter for me. regards roland > -----Ursprüngliche Nachricht----- > Von: "Amos Jeffries" <squid3@xxxxxxxxxxxxx> > Gesendet: 12.10.07 01:36:32 > An: devzero@xxxxxx > CC: squid-users@xxxxxxxxxxxxxxx > Betreff: Re: squid hardening - weird behaviour > > > Hello, > > > > i`m somewhat new to squid "in depth" configuration and need some advice. > > > > i run an older squid release on a multi-homed system which connects to the > > internet on the first interface, > > to the local net (10.0.0.0) on the second interface (10.0.0.1) > > > > for hardening purpose i configured squid to bind to internal interface > > only (10.0.0.1:3128) and disabled > > all additional ports (icp_port etc.) > > > > now, there is one open port left and i`m not sure what`s the purpose of > > this: > > > > udp 0 0 0.0.0.0:34806 0.0.0.0:* 6593/(squid) > > > > why does squid listen to udp requests ? > > - maybe pinger. Sends/accepts ICMP to measure traffic flows for balancing. > - maybe DNS. squid needs to resolve destination addresses. It uses > DNS-UDP for this. > > squidclient mgr:filedescriptors > will give you a list of all sockets and pipes squid has currently open and > which module is using it. > For sockets open to requests it lists the remote hostname from the request. > > > > there seems a relation to this params: > > > > # udp_incoming_address 0.0.0.0 > > # udp_outgoing_address 255.255.255.255 > > > > but if i bind udp port to internal interface, squid won`t resolve names > > anymore. > > > > why this? > > The squid.conf docs are bad. These settings are used by ICP, HTCP, syslog, > and DNS. > They set the ADDRESS used to send/receive those types of traffic. Each > have their own port separate from these settings. > > You may set it to the internal facing public address of your network for > extra security. > BUT, your internal services (DNS resolver, syslogd, ICP/HTCP peers) need > to be able to communicate with the address(es). > Specifically for DNS, resolv.conf needs to only contain NS that can talk > to that address. > > > > > squid.conf is telling, that this params ar for icp sockets, not for dns > > > > # udp_incoming_address is used for the ICP socket receiving packets > > # from other caches. > > # udp_outgoing_address is used for ICP packets sent out to other > > # caches. > > > > any hints how to disable this port for listening or binding to internal > > interface only ? > > Locate the module using it and check the options for that module. > > > > > would it help if i update to most recent squid release ? > > If you are after paranoid security. The latest stable release of 2.6. > There are a security advisories out for releases as recent as 2.6s11. Some > potential loopholes we have fixed as recently as 2.6s17. > > Amos > > > _______________________________________________________________________ Jetzt neu! Schützen Sie Ihren PC mit McAfee und WEB.DE. 3 Monate kostenlos testen. http://www.pc-sicherheit.web.de/startseite/?mc=022220
