Am Mittwoch, den 19.09.2018, 14:38 +1200 schrieb Amos Jeffries: > This statement is false, and very bad security practice. Squid handles > HTTP-level access controls. Firewalls handle network-layer access > control. Either way multiple layers of security that work together are > better than one - in case that one is compromised. > .... > Like the other default rules this "deny all" serves multiple purposes - > along with the obvious access control to the network it is about denying > "legitimate" clients trying to make Squid do extremely resource > consuming things which are not permitted by your policy. Such as flood > the internal network with Tbps of traffic, or port-scan services they > are not normally allowed access to by the firewall. hey amos, thanks for your feedback, it's realy appreciated. i re-enabled deny all, even when i still don't see any benifit, because: without giving away to mutch internals, in my case allow all is still ok, only a very few subnets have a route to this system and the firewalls are working on a combination of layer 3 and 5-7 and also running ssl-inspection to this specific squid. but you are right, every layer counts. greetings, andy
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
