Hi
> Are there any real bad things (tm) users authorized to use a squid cache
> could do if I would replace the default Safe_ports acl with
> something like "acl Safe_ports 1-65535"?
Yes, though what exactly they can do depends on the version of Squid.
With older Squids (1.0) they could do anything from IRC through the server
(happend to us a few weeks ago) to forge mail.
The newer Squid limits this kind of stuff a lot more: you may be able to
get away with it.... up to you. If I did enable random destination port
access I would set up a cron script that greps for ports outside the ranges
below every day: just so that you can keep an eye on things.
> --- snip - squid.conf ---
> acl Safe_ports port 80 21 443 563 70 210 1025-65535
> http_access deny !Safe_ports
> --- snap ---
>
> xxx
> Herwig Wittmann <herwig@atnet.at>
>
> [1] Usual apologies apply if this posting should be inapropriate -
> I joined this ML two days ago, but my fellow coworkers at our isp
> want me to remove the mentioned default restriction, so I decided
> to post right now :P
Oskar
--- "Haven't slept at all. I don't see why people insist on sleeping. You feel so much better if you don't. And how can anyone want to lose a minute - a single minute of being alive?" -- Think TwiceReceived on Wed Jan 06 1999 - 15:39:54 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:55 MST