Re: Safe_ports - how to deal with ones not listed?

From: Clifton Royston <cliftonr@dont-contact.us>
Date: Thu, 25 Nov 1999 09:41:26 -1000

On Thu, Nov 25, 1999 at 12:04:01PM -0000, Dave J Woolley wrote:
> > From: Miguel A.L. Paraz [SMTP:map@iphil.net]
> >
> > Since we're an ISP we follow a "allow all deny some" policy. I think the
> > problem ports are the likes of chargen, no? So I allowed 81-65535.
>
> Basically, if you would have problems if you were accused
> of hacking the port from a user on your proxy, then it
> is unsafe.

  A simple heuristic, therefore, would be to take any number appearing
in /etc/services, other than something like HTTP or FTP that Squid
explicitly proxies, and list it as an unsafe port. If someone tries to
run a web server on port 25 or port 119, it's likely to break enough
browsers (at the very least) that they won't do it for long, and
therefore you shouldn't get complaints about your cache not supporting
it.

  Personally, I'd rather deal with occasionally adding ports for the
few web sites which give trouble. I think there's been a positive
trend in the last year towards more networks using proxies of one kind
and another, and therefore more web sites being aware of the need to
support proxies.

  -- Clifton

-- 
 Clifton Royston  --  LavaNet Systems Architect --  cliftonr@lava.net
        "An absolute monarch would be absolutely wise and good.  
           But no man is strong enough to have no interest.  
             Therefore the best king would be Pure Chance.  
              It is Pure Chance that rules the Universe; 
          therefore, and only therefore, life is good." - AC
Received on Thu Nov 25 1999 - 12:50:36 MST

This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT