Re: [squid-users] How squid does Src/Dst IP address matching

From: Adrian Chadd <adrian@dont-contact.us>
Date: Mon, 24 Mar 2008 16:50:43 +0900

On Mon, Mar 24, 2008, Saurabh Agarwal wrote:
> I understand the security concern, but if squid is accessed by Users
> only within the company and company's intranet is secure enough, then it
> is an overkill as DNS is performed twice(Squid being used in transparent
> mode), once by the browser and then second time by the Squid.
>
> Shouldn't we have this as configurable through squid.conf file, though
> with the disclaimer you wrote earlier. This looks like a good feature to
> have.
>
> Like: Disble DNS lookups by Squid, instead use the DST IP address in the
> intercepted HTTP requested.
> #disable_dns_lookup, hence use Dst IP from the packet

Thats not a bad idea, but the possibility is there to absolutely, positively
blow away not only your clients' feet, but their legs, their torso, their
car/bike, and potentially their neighbours' pet. Its very dangerous.

I'll commit a patch if someone submits one. It has to have a very, very
large warning and it also needs to log something in cache.log to explain
why enabling the option is 100% dangerous.

Please realise that its not only comprimised hosts, its also malicious users.

Adrian

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Received on Mon Mar 24 2008 - 01:34:35 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT