Search squid archive

Re: Limiting outgoing port range.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




"Thomas Pietsch" 4/5/2011 3:08 AM >>>
Hey, yes i am referring to outbound ports. I know there is no speed
advantage of doing so. Its simply a security matter (firewaling, trusted partys and so on .. ). So the proxy shall be running on the same machine
as the browser and then proxy every request and response through smth
like 20 sockets. Is this possible via squid?

On Tue, 05 Apr 2011 09:53:39 -0400, Chad Naugle wrote:
In short, I don't believe so. Squid isn't meant to be limited in such ways, and I still stand firm in believing that OUTBOUND ports that get
binded to a local machine has no effect on firewalling.  Only
DESTINATION ports are compared in Firewall ACL's.


Two conflicts prevent this even being considered...

TCP requires a waiting period (TCP_TIME_WAIT state in the firewall "netstat" display) to ensure that all traffic on the Internet which might be delayed by some routing situation does not screw up later use of the port. Binding for example 20 ports, will not only make Squid limited to 20 parallel requests but also limit it to 20 new connections *per time-wait period*. the default time-wait is 5 minutes IIRC, and firewall starts to fail if it goes down much close to a minute. Average usage for a small home situation consumes around 1-4 per connections second. Do the math... average web page load times around 1-2 minutes. Nobody is going to stand for that these days.


Also, in HTTP the outbound connection to servers has no relation to inbound connections from clients. The traffic is combined, split, rejected, served from cache or relayed on a request-by-request basis. So from a firewall perspective if any one outbound connection by the proxy is untrustworthy they are all suspect.

Thomas,
It is best to assign trust by the firewall to the proxy application or the proxy low-privileged user account. If you do go ahead with the port range limit you need to configure the OS underneath Squid to assign only from that range, or port-map (NAPT) the Squid outgoing connections into it. Then face the TCP effects mentioned above.

Amos


-------- Original-Nachricht --------
Datum: Mon, 04 Apr 2011 16:44:20 -0400
Von: "Chad Naugle"

Are you referring to Squid's OUTBOUND ports, or the DESTINATION
ports?

Destination Ports could be done by stacking ACL's per a user/group
to
specific list of ports ACL, but that's a lot of ACL stacking for
particular users, and the result is if they are outside of the range
of
ports, could result in a ACCESS_DENIED, depending on the requested
URL.
Ie --

acl Joe_User <code to identify "Joe">
acl Joe_Ports port 21
acl Joe_Ports port 80
acl Joe_Ports port 443
acl Joe_Ports port 8080

http_access allow Joe_User Joe_Ports
http_access deny all

But I would highly doubt that directly mapping SOURCE ports would be
theoretically possible, because, for one, Squid does not _ALWAYS_
query
a destination, as a function of it being a cache. And two,
statically
defining a port, or block of ports for a particular user or group
can
squelch the amount of possible users to be able to use the proxy,
causing it not to scale well, amongst many other technical issues
that
can, and will only create bottlenecks.

Also, selecting outbound source ports has no technical advantage /
merit versus selecting destination ports, that I can think of.


>>> <Shivering@xxxxxxx> 4/4/2011 4:22 PM >>>
Hey,
i need an HTTP proxy which synchronizes outgoing connections to a
limited port range. For example to make only http connections via 20
outgoing ports. Is squid able to do this with little effort? I've
already searched the FAQ and the mail archive and only found this
question/answer:

http://www.mail-archive.com/squid-users@xxxxxxxxxxxxxxx/msg29951.html

. This is six years old. So i thought i give it a new try ^^. I
appreciate any tips.
Best regards




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux