IPChains firewall: need port 80 open with transparent Squid?

From: Steve Snyder <swsnyder@dont-contact.us>
Date: Sat, 26 Feb 2000 19:03:05 -0500 (EST)

Before I started using Squid (v2.2S5, on Linux v2.2.x) as a
transparent proxy, I enabled trafffic to/from port 80 to allow Web
browsers to work. Do I still need to have that port open now that all
HTTP traffic is being redirected through Squid?

Per the Squid doc, this is how my transparent config looks:

    http_port 3128
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

Also per the Squid doc, this is how my firewall (ipchains) looks:

  # Squid: redirect local HTTP traffic to cache port
  ipchains -A input -i $LOCAL_IFACE -p tcp \
           -s $ANYWHERE -d $ANYWHERE 80 -j REDIRECT 3128

  # Squid: deny external access to cache
  ipchains -A input -i $EXTRN_IFACE -p tcp -y \
           -s $ANYWHERE -d $IPADDR 3128 -j DENY

So given these circumstances, do I really need my old port 80 access
rule? Note that $EXTRN_IFACE is my connection to the Internet, while
$LOCAL_IFACE is the one to my local network:

  # HTTP client (80)
  ipchains -A input -i $EXTRN_IFACE -p tcp ! -y \
           -s $ANYWHERE 80 -d $IPADDR $UNPRIVPORTS -j ACCEPT

  ipchains -A output -i $EXTRN_IFACE -p tcp \
           -s $IPADDR $UNPRIVPORTS -d $ANYWHERE 80 -j ACCEPT

My reason for asking this is to simplify my ruleset by eliminating
what I hope is an superfluous rule (external client traffic through
port 80). I am not running an externally-accessible Web server. Any
advice on this?

Thank you.

*** Steve Snyder ***
Received on Sat Feb 26 2000 - 17:12:05 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:51:35 MST