Re: Firewalling the Proxy

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Nyamul Hassan wrote:
> Thank you all for your comments.  What I meant was, I was looking at the
> packets on my router flowing from / to my proxy server.  I'm not much
> concerned about outbound packets from squid, as that is going to be 
> arbitary
> for each request.  But, what I was curious about was the inbound
> connections.
>
> So, I re-state my observations again below, but please keep in mind these
> are only for packets that are coming from the WAN side of my router and 
> into
> the squid.
>
> 1.  Majority packets were sent from TCP port 80 and 53 towards the squid,
> which is obvious.
> 2.  Some were TCP 82 also, which is also obvious in our scenario, as a
> locally popular website hosts it's meda files on port 82.
> 3.  Some were TCP 8080, same explanation is #2
> 4.  Some were TCP 443, which struck me as odd, as we do not have 443
> redirected to our squid.  This could happen when someone uses manual proxy.
> So, I think this is safe.
> 5.  Some were TCP high arbitary ports, usually above 10,000 (sometimes a 
> few
> below 10,000 but above 1,000).
> 6.  Whenever #5 would be seen, there would also be an ICMP request from the
> same remote IP towards my squid.
>
> It is the last #5 and #6 that is my concern.  Is this normal behaviour?  
> Can
> I safely do the following on my router for packets whose destinaion address
> is my squid's IP:
>
> 1.  Allow ICMP packets to my squid from outside
> 2.  Allow packets from TCP ports 53, 80, 82, 443, 3128, 8080.
> 3.  Block all other packets.
>
> Thank you once again for your comments / suggestions.
>
> Regards
> HASSAN

Understood. No change from your first email.

Consider most carefully your definition of 'from', 'to', 'source', and 
'outside'.

Also consider whether you are observing new connection requests entering 
Squid or reply data being retrieved.

Check your logs, or run traffic captures for those IPs and ports if 
necessary to figure out what it is before blocking.

There is no way to identify the difference between someones grandma on 
and an attacker from just port numbers. No matter how weird.

Amos


> ----- Original Message ----- From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
> To: "Jose Ildefonso Camargo Tolosa" <ildefonso.camargo@xxxxxxxxx>
> Cc: "Nyamul Hassan" <mnhassan@xxxxxxx>; "Squid Users"
> <squid-users@xxxxxxxxxxxxxxx>
> Sent: Saturday, February 28, 2009 12:34
> Subject: Re:  Firewalling the Proxy
>
>
> > Jose Ildefonso Camargo Tolosa wrote:
> > > Hi!
> > >
> > > On Sat, Feb 28, 2009 at 4:43 PM, Nyamul Hassan <mnhassan@xxxxxxx> wrote:
> > > > Hi,
> > > >
> > > > I was checking the requests to and from my proxy servers, and I noticed
> > > > that, while most src-port were TCP 80, 53, 443, some were very high TCP
> > > > ports.  These high port packets would usually also be accompanied by an
> > > > ICMP
> > > > request.  Is this normal web server behaviour?  In my firewall,
> > > > accepting
> > > > src-port of TCP 80, 53, 443, or UDP 53, and ICMP, can I block all else
> > > > directed toward my proxy server?
> >
> > No. There are no rules about what src-port can be.
> > Firewall dst-port that you don't want people getting access *to*.
> >
> > Inbound HTTP connection accompanied by ICMP echo, sounds a lot like a
> > NetDB enhanced HTTP proxy (Squid?) doing best-source detection.
> >
> > Amos
> >
> > > Ok, you got me a little confused on the "src-port", maybe I'm just
> > > falling a slept now.
> > >
> > > Usually, the connections works like this:
> > >
> > > client (any port above 1024, depends on OS, but usually a high port)
> > > ---> proxy (proxy port,3128) , proxy (local port, usually high port)
> > > ---> Remote Web Server (80,443,....).
> > >
> > > So, you will usually see a "high port" and a "normal port" associated
> > > to a connection, usually the high port is the "local part" and the low
> > > port is the "remote end", from the point of view of the machine that
> > > is initiating the connection.  The IP,port combination is called a
> > > tuple, and each connection have a "local tuple" and a "remote tuple",
> > > the local tuple is usually referred as the "source IP, source port",
> > > and use to have a high port associated with it (in the computer that
> > > is creating the connection, the remote end will see it reversed).
> > >
> > > > Thx in advance for your comments / suggestions.
> > >
> > > Any more info would be useful.
> > >
> > > > Regards
> > > > HASSAN
> > >
> > > c-ya!
> > >
> > > Ildefonso Camargo
> >
> >
> > --
> > Please be using
> >   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
> >   Current Beta Squid 3.1.0.5


--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5