Before I started using Squid (v2.2S5, on Linux v2.2.x) as a
transparent proxy, I enabled trafffic to/from port 80 to allow Web
browsers to work. Do I still need to have that port open now that all
HTTP traffic is being redirected through Squid?
Per the Squid doc, this is how my transparent config looks:
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Also per the Squid doc, this is how my firewall (ipchains) looks:
# Squid: redirect local HTTP traffic to cache port
ipchains -A input -i $LOCAL_IFACE -p tcp \
-s $ANYWHERE -d $ANYWHERE 80 -j REDIRECT 3128
# Squid: deny external access to cache
ipchains -A input -i $EXTRN_IFACE -p tcp -y \
-s $ANYWHERE -d $IPADDR 3128 -j DENY
So given these circumstances, do I really need my old port 80 access
rule? Note that $EXTRN_IFACE is my connection to the Internet, while
$LOCAL_IFACE is the one to my local network:
# HTTP client (80)
ipchains -A input -i $EXTRN_IFACE -p tcp ! -y \
-s $ANYWHERE 80 -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTRN_IFACE -p tcp \
-s $IPADDR $UNPRIVPORTS -d $ANYWHERE 80 -j ACCEPT
My reason for asking this is to simplify my ruleset by eliminating
what I hope is an superfluous rule (external client traffic through
port 80). I am not running an externally-accessible Web server. Any
advice on this?
Thank you.
*** Steve Snyder ***
Received on Sat Feb 26 2000 - 17:12:05 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:51:35 MST