"Thomas Pietsch" 4/5/2011 3:08 AM >>>
Hey, yes i am referring to outbound ports. I know there is no speed
advantage of doing so. Its simply a security matter (firewaling,
trusted
partys and so on .. ). So the proxy shall be running on the same
machine
as the browser and then proxy every request and response through smth
like 20 sockets. Is this possible via squid?
On Tue, 05 Apr 2011 09:53:39 -0400, Chad Naugle wrote:
In short, I don't believe so. Squid isn't meant to be limited in
such
ways, and I still stand firm in believing that OUTBOUND ports that
get
binded to a local machine has no effect on firewalling. Only
DESTINATION ports are compared in Firewall ACL's.
Two conflicts prevent this even being considered...
TCP requires a waiting period (TCP_TIME_WAIT state in the firewall
"netstat" display) to ensure that all traffic on the Internet which
might be delayed by some routing situation does not screw up later use
of the port. Binding for example 20 ports, will not only make Squid
limited to 20 parallel requests but also limit it to 20 new connections
*per time-wait period*. the default time-wait is 5 minutes IIRC, and
firewall starts to fail if it goes down much close to a minute.
Average usage for a small home situation consumes around 1-4 per
connections second. Do the math... average web page load times around
1-2 minutes. Nobody is going to stand for that these days.
Also, in HTTP the outbound connection to servers has no relation to
inbound connections from clients. The traffic is combined, split,
rejected, served from cache or relayed on a request-by-request basis. So
from a firewall perspective if any one outbound connection by the proxy
is untrustworthy they are all suspect.
Thomas,
It is best to assign trust by the firewall to the proxy application
or the proxy low-privileged user account.
If you do go ahead with the port range limit you need to configure
the OS underneath Squid to assign only from that range, or port-map
(NAPT) the Squid outgoing connections into it. Then face the TCP effects
mentioned above.
Amos
-------- Original-Nachricht --------
Datum: Mon, 04 Apr 2011 16:44:20 -0400
Von: "Chad Naugle"
Are you referring to Squid's OUTBOUND ports, or the DESTINATION
ports?
Destination Ports could be done by stacking ACL's per a user/group
to
specific list of ports ACL, but that's a lot of ACL stacking for
particular users, and the result is if they are outside of the range
of
ports, could result in a ACCESS_DENIED, depending on the requested
URL.
Ie --
acl Joe_User <code to identify "Joe">
acl Joe_Ports port 21
acl Joe_Ports port 80
acl Joe_Ports port 443
acl Joe_Ports port 8080
http_access allow Joe_User Joe_Ports
http_access deny all
But I would highly doubt that directly mapping SOURCE ports would be
theoretically possible, because, for one, Squid does not _ALWAYS_
query
a destination, as a function of it being a cache. And two,
statically
defining a port, or block of ports for a particular user or group
can
squelch the amount of possible users to be able to use the proxy,
causing it not to scale well, amongst many other technical issues
that
can, and will only create bottlenecks.
Also, selecting outbound source ports has no technical advantage /
merit versus selecting destination ports, that I can think of.
>>> <shiver...@gmx.net> 4/4/2011 4:22 PM >>>
Hey,
i need an HTTP proxy which synchronizes outgoing connections to a
limited port range. For example to make only http connections via 20
outgoing ports. Is squid able to do this with little effort? I've
already searched the FAQ and the mail archive and only found this
question/answer:
http://www.mail-archive.com/squid-users@squid-cache.org/msg29951.html
. This is six years old. So i thought i give it a new try ^^. I
appreciate any tips.
Best regards
