Pat Riehecky wrote:
> I just put iptables on our squid box and noticed some very strange
> activity (IPs have been changed to protect the innocent):
>
> [44165032.820000] Dropped default (OUTPUT): IN= OUT=eth0
> SRC=MY.PROXY.IP.ADDRESS DST=SOME.RANDOM.IP.ADDR LEN=40 TOS=0x00
> PREC=0x00 TTL=64 ID=41807 DF PROTO=TCP SPT=3128 DPT=2660 WINDOW=7140
> RES=0x00 ACK PSH FIN URGP=0
>
> I have literally thousands of these where it looks like squid is
> actively opening connections (well trying...) to the outside world. The
> intervals are somewhat random (and if you really care I can extrapolate
> them).
>
> It has to be squid because the source port is 3128, my squid port... but
> it cannot be a user making the request as I have a very limited range of
> ports for squid to proxy. Two apps cannot use the same port unless one
> lets go for a bit, but squid has been up for about 2 months and doesn't
> release the port ever (does it?).
Only connections *to* squid will use port 3128. Outgoing connctions will use
a random high port. Try looking at your access log to what's been accessed.
Received on Fri May 04 2007 - 11:34:08 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT