On 14/12/2012 11:53 a.m., Paras pradhan wrote:
Hi, I have 0-65536 in safe ports and it is allowed. acl Safe_ports port 0-65535 http_access deny !Safe_ports
This is not an ALLOWED. This is a not-DENIED otherwise known as "check next rule".
NP: there are a number of ports between 0-1024 range which are seriously risky to permit HTTP connections to. The SMTP and FTP ports for example.
But I am seeing this in access.log. -- 1355433138.267 0 192.168.0.2 TCP_DENIED/403 3413 CONNECT 192.168.0.2:35357 - NONE/- text/html -- How do we allow 35357?
This is a CONNECT request. So "acl SSL_Ports port 35357" should do it. But consider carefully why the client needs a binary tunnel opened to that destination, and whether letting it is a good idea.
Amos
