Re: [squid-users] Config seems to allow CONNECT to privileged ports

From: Juri Haberland <list-squid.users@dont-contact.us>
Date: Thu, 22 May 2003 08:59:22 +0000 (UTC)

Ralf Hildebrandt <Ralf.Hildebrandt@charite.de> wrote:
> Our config (below) seems to allow access to privileged ports. Proof:
> $ telnet 192.168.220.204 888
> Trying 192.168.220.204...
> Connected to 192.168.220.204.
> Escape character is '^]'.
> CONNECT postamt1.charite.de:22 HTTP/1.0
>
> HTTP/1.0 Connection established
>
> SSH-1.99-OpenSSH_3.1p1
>
> ---------------
> What needs to be changed?

> acl SSL_ports port 443 563
> acl Safe_ports port 23 80 82 83 21 70 210 322 443 554 563 581 1025-5999 6001-655 35
> acl CONNECT method CONNECT

# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

> http_access allow modem_hosts modem_allowed_hosts
> http_access deny modem_hosts modem_denied_hosts
> http_access allow modem_hosts modem_allowed_rest
> http_access deny FTP PUT
> http_access deny in_gesperrte_hosts
> http_access deny out_gesperrte_hosts
> http_access deny worm
> http_access deny nws
> http_access allow charite-hosts
> http_access allow virchow-hosts
> http_access allow private-name
> http_access allow charite-buch
> http_access allow hamann
> http_access allow niesen
> http_access allow steinhoff
> http_access allow herzel
> http_access allow pgeorgie
> http_access allow bioinf ncbi
> http_access deny all

Cheers,
Juri

-- 
Juri Haberland  <juri@koschikode.com> 
Received on Thu May 22 2003 - 02:59:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:51 MST