[squid-users] Odd port behavior from squid

From: Pat Riehecky <prieheck@dont-contact.us>
Date: Fri, 04 May 2007 12:11:44 -0500

I just put iptables on our squid box and noticed some very strange
activity (IPs have been changed to protect the innocent):

[44165032.820000] Dropped default (OUTPUT): IN= OUT=eth0
SRC=MY.PROXY.IP.ADDRESS DST=SOME.RANDOM.IP.ADDR LEN=40 TOS=0x00
PREC=0x00 TTL=64 ID=41807 DF PROTO=TCP SPT=3128 DPT=2660 WINDOW=7140
RES=0x00 ACK PSH FIN URGP=0

I have literally thousands of these where it looks like squid is
actively opening connections (well trying...) to the outside world. The
intervals are somewhat random (and if you really care I can extrapolate
them).

It has to be squid because the source port is 3128, my squid port... but
it cannot be a user making the request as I have a very limited range of
ports for squid to proxy. Two apps cannot use the same port unless one
lets go for a bit, but squid has been up for about 2 months and doesn't
release the port ever (does it?).

Have I gone insane? Is there a way that squid is actually doing this?
If squid is doing this is there something I can turn on to ask it why,
the access log shows nothing resembling this, and the acls should stop
it?

Thanks for any clock cycles this gets in your brains.

Pat

Squid version 2.6.1-3ubuntu1.3

--- squid conf ---
http_port 3128
cache_mem 10 MB
memory_pools_limit 5 MB
logfile_rotate 30

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic program /usr/lib/squid/ldap_auth <...>
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server LDAP

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl Password proxy_auth REQUIRED
acl Localnet src 10.0.0.0/255.0.0.0

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow Password
http_access deny all
http_access allow Localnet
http_reply_access allow all

icp_access allow all

coredump_dir /var/spool/squid

emulate_httpd_log on
access_log /var/log/squid/access.log

cache_effective_user proxy
cache_effective_group proxy
--- end squid conf ---
Received on Fri May 04 2007 - 11:11:46 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT