Typical, I figured out an iptables workaround within seconds of sending my last email I still think squid needs to be able to stop this DoS, but this will stop the issue occurring iptables -t nat -A PREROUTING -d proxy.ip -i lan.interface -p tcp -m tcp --dport 3127 -j REDIRECT --to-ports 9876 #9876 has nothing running on it iptables -t nat -A PREROUTING ! -d lan.subnet/netmask -i lan.interface -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127 #3127 is our ssl intercept port So I get "connection refused" when I try to connect to the proxy on port 3127, but https intercept still works for anything else. Now squid never sees the direct 3127 connection and so never goes into a loop Jason -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
