Paul Cocker wrote:
The first three http_access lines in my squid.conf file look like this:
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
Yet if I try and connect to http://bbc.co.uk:16825 I get a Connection
Timed Out error not an Access Denied one. Isn't it the later I should be
expecting to see, assuming 16825 is not listed in the Safe_ports ACL?
Assuming its not listed that would be a problem. However I bet you have
the default Safe_Ports listing?
That default includes the range 1024-65536 as 'safe'. In networking
security context the dangerous ports are the 0-1024 range which are all
commonly used for public services. While ports outside that small set
may in reality be unsafe sometimes, its not good to assume that
everywhere all the time, since ports over 1024 are randomly assigned on
new most new connections.
What Safe_Ports means to squid is a list of ports where are _probably_
safe. So blocking everything omitted from that list is a Good Idea(tm).
Amos
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE8
