Re: [squid-users] Squid cache questions

2024-04-06 Thread Jonathan Lee 
Thanks for the reply I am using the built in StoreID program however it 
requires the database file so I have it only set to the items in the dynamic 
cache settings custom refresh areas. 

The rewrite program should redirect to pull from the cache right? Only for 
bumped connections and or cab files from Windows that come over as http. 
Squidguard only does URL checks and blocks some items that cause me issues 
mainly doubleclick.net and a couple other invasive sites and or different 
profiles for different devices. 

Everything works however I started to wonder if I am bumping connections for 
some I still would want the Windows refresh patterns to work so I thought if I 
url_rewrite_access deny them that would block the cache from being used also 
right? Of course the splice items I just want them spliced and checked with 
Squirdguard again the error page itself is that not considered a url_rewrite?

That’s what got me confused as I was thinking at the time an invasive container 
could redirect from the cache so I thought that’s why I would set up blocks for 
it however I am now wondering about the refresh items.

Thanks for the reply. Are you the guy that invented phone mail for Amos OS on 
Semens PBX systems and ROLM phones? I did training with you in Texas if that is 
you.

Thanks agin for your reply

Jonathan Lee
Adult Student 

> On Apr 6, 2024, at 20:00, Amos Jeffries  wrote:
> 
> On 5/04/24 17:25, Jonathan Lee wrote:
>>> ssl_bump splice https_login
>>> ssl_bump splice splice_only
>>> ssl_bump splice NoSSLIntercept
>>> ssl_bump bump bump_only markBumped
>>> ssl_bump stare all
>>> acl markedBumped note bumped true
>>> url_rewrite_access deny markedBumped
>> for good hits should the url_rewirte_access deny be splice not bumped 
>> connections ?
>> I feel I mixed this up
> 
> Depends on what the re-write program is doing.
> 
> Ideally no traffic should be re-written by your proxy at all. Every change 
> you make to the protocol(s) as they go throug adds problems to traffic 
> behaviour.
> 
> Since you have squidguard..
> * if it only does ACL checks, that is fine. But ideally those checks would be 
> done by http_access rules instead.
> * if it is actually changing URLs, that is where the problems start and 
> caching is risky.
> 
> If you are re-writing URLs just to improve caching, I recommend using 
> Store-ID feature instead for those URLs. It does a better job of balancing 
> the caching risk vs ratio gains, even though outwardly it can appear to have 
> less HITs.
> 
> 
> HTH
> Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid cache questions

2024-04-06 Thread Amos Jeffries 


On 6/04/24 11:34, Jonathan Lee wrote:
if (empty($settings['sslproxy_compatibility_mode']) || 
($settings['sslproxy_compatibility_mode'] == 'modern')) {

// Modern cipher suites
$sslproxy_cipher = 
"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";

$sslproxy_options .= ",NO_TLSv1";
} else {
$sslproxy_cipher = 
"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

}

Should the RC4  be removed or allowed?

https://github.com/pfsense/FreeBSD-ports/pull/1365 






AFAIK it should be removed. What I was intending to point out was that 
its removal via "!RC4" is likely making the prior "EECDH+aRSA+RC4" 
addition pointless. Sorry if that was not clear.


If you check the TLS handshake and find Squid is working fine without 
advertising "EECDH+aRSA+RC4" it would be a bit simpler/easier to read 
the config by removing that cipher and just relying on the "!RC4".



HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid cache questions

2024-04-06 Thread Amos Jeffries 

On 5/04/24 17:25, Jonathan Lee wrote:

ssl_bump splice https_login
ssl_bump splice splice_only
ssl_bump splice NoSSLIntercept
ssl_bump bump bump_only markBumped
ssl_bump stare all
acl markedBumped note bumped true
url_rewrite_access deny markedBumped


for good hits should the url_rewirte_access deny be splice not bumped 
connections ?


I feel I mixed this up



Depends on what the re-write program is doing.

Ideally no traffic should be re-written by your proxy at all. Every 
change you make to the protocol(s) as they go throug adds problems to 
traffic behaviour.


Since you have squidguard..
 * if it only does ACL checks, that is fine. But ideally those checks 
would be done by http_access rules instead.
 * if it is actually changing URLs, that is where the problems start 
and caching is risky.


If you are re-writing URLs just to improve caching, I recommend using 
Store-ID feature instead for those URLs. It does a better job of 
balancing the caching risk vs ratio gains, even though outwardly it can 
appear to have less HITs.



HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid cache questions

2024-04-05 Thread Jonathan Lee 
if (empty($settings['sslproxy_compatibility_mode']) || 
($settings['sslproxy_compatibility_mode'] == 'modern')) {
// Modern cipher suites
$sslproxy_cipher = 
"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
$sslproxy_options .= ",NO_TLSv1";
} else {
$sslproxy_cipher = 
"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
}

Should the RC4  be removed or allowed?

https://github.com/pfsense/FreeBSD-ports/pull/1365



> On Apr 4, 2024, at 18:17, Amos Jeffries  wrote:
> 
> On 4/04/24 17:48, Jonathan Lee wrote:
>> Is there any particular order to squid configuration??
> 
> Yes. 
> 
> 
>> Does this look correct?
> 
> Best way to find out is to run "squid -k parse", which should be done after 
> upgrades as well to identify and fix changes between versions as we improve 
> the output.
> 
> 
>> I actually get allot of hits and it functions amazing, so I wanted to share 
>> this in case I could improve something. Is there any issues with security?
> 
> Yes, the obvious one is "DONT_VERIFY_PEER" disabling TLS security entirely on 
> outbound connections. That particular option will prevent you even being told 
> about suspicious activity regarding TLS.
> 
> Also there are a few weird things in your TLS cipher settings, such as this 
> sequence "  EECDH+aRSA+RC4:...:!RC4 "
> Which as I understand, enables the EECDH with RC4 hash, but also forbids all 
> uses of RC4.
> 
> 
>> I am concerned that an invasive container could become installed in the 
>> cache and data marshal the network card.
> 
> You have a limit of 4 MB for objects allowed to pass through this proxy, 
> exception being objects from domains listed in the "windowsupdate" ACL (not 
> all Windows related) which are allowed up to 512 MB.
> 
> For the general case, any type of file which can store an image of some 
> system is a risk for that type of vulnerability can be cached.
> 
> The place to fix that vulnerability properly is not the cache or Squid. It is 
> the OS permissions allowing non-Squid software access to the cache files 
> and/or directory.
> 
> 
> 
>> Here is my config
>> # This file is automatically generated by pfSense
>> # Do not edit manually !
> 
> Since this file is generated by pfsense there is little that can be done 
> about ordering issues and very hard to tell which of the problems below are 
> due to pfsense and which due toy your settings.
> 
> FWIW, there are no major issues, just some lines not being necessary due to 
> setting things to their default values, or just some blocks already denyign 
> things that are blocked previously.
> 
> 
>> http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on 
>> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
>> cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>  tls-dh=prime256v1:/etc/dh-parameters.2048 
>> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>> http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on 
>> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
>> cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>  tls-dh=prime256v1:/etc/dh-parameters.2048 
>> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on 
>> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
>> cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>  tls-dh=prime256v1:/etc/dh-parameters.2048 
>> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>> icp_port 0
>> digest_generation off
>> dns_v4_first on
>> pid_filename /var/run/squid/squid.pid
>> cache_effective_user squid
>> cache_effective_group proxy
>> error_default_language en
>> icon_directory /usr/local/etc/

Re: [squid-users] Squid cache questions

2024-04-04 Thread Amos Jeffries 

On 4/04/24 17:48, Jonathan Lee wrote:

Is there any particular order to squid configuration??



Yes. 



Does this look correct?



Best way to find out is to run "squid -k parse", which should be done 
after upgrades as well to identify and fix changes between versions as 
we improve the output.



I actually get allot of hits and it functions amazing, so I wanted to 
share this in case I could improve something. Is there any issues with 
security?


Yes, the obvious one is "DONT_VERIFY_PEER" disabling TLS security 
entirely on outbound connections. That particular option will prevent 
you even being told about suspicious activity regarding TLS.


Also there are a few weird things in your TLS cipher settings, such as 
this sequence "  EECDH+aRSA+RC4:...:!RC4 "
 Which as I understand, enables the EECDH with RC4 hash, but also 
forbids all uses of RC4.



I am concerned that an invasive container could become 
installed in the cache and data marshal the network card.




You have a limit of 4 MB for objects allowed to pass through this proxy, 
exception being objects from domains listed in the "windowsupdate" ACL 
(not all Windows related) which are allowed up to 512 MB.


For the general case, any type of file which can store an image of some 
system is a risk for that type of vulnerability can be cached.


The place to fix that vulnerability properly is not the cache or Squid. 
It is the OS permissions allowing non-Squid software access to the cache 
files and/or directory.





Here is my config

# This file is automatically generated by pfSense
# Do not edit manually !


Since this file is generated by pfsense there is little that can be done 
about ordering issues and very hard to tell which of the problems below 
are due to pfsense and which due toy your settings.


FWIW, there are no major issues, just some lines not being necessary due 
to setting things to their default values, or just some blocks already 
denyign things that are blocked previously.





http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 tls-dh=prime256v1:/etc/dh-parameters.2048 
options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 tls-dh=prime256v1:/etc/dh-parameters.2048 
options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 tls-dh=prime256v1:/etc/dh-parameters.2048 
options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

icp_port 0
digest_generation off
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname 
cache_mgr 
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s 
/var/squid/lib/ssl_db -M 4MB -b 2048
tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
tls_outgoing_options capath=/usr/local/share/certs/
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
tls_outgoing_options 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options flags=DONT_VERIFY_PEER
sslcrtd_children 10

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/27
forwarded_for transparent
httpd_suppress_version_string on
uri_whitespace strip

acl getmethod method GET

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .u

[squid-users] Squid cache questions

2024-04-03 Thread Jonathan Lee 
Is there any particular order to squid configuration??

Does this look correct?

I actually get allot of hits and it functions amazing, so I wanted to share 
this in case I could improve something. Is there any issues with security? I am 
concerned that an invasive container could become installed in the cache and 
data marshal the network card.

Here is my config 

# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 tls-dh=prime256v1:/etc/dh-parameters.2048 
options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 tls-dh=prime256v1:/etc/dh-parameters.2048 
options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 tls-dh=prime256v1:/etc/dh-parameters.2048 
options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

icp_port 0
digest_generation off
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname Lee_Family.home.arpa
cache_mgr jonathanlee...@gmail.com
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s 
/var/squid/lib/ssl_db -M 4MB -b 2048
tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
tls_outgoing_options capath=/usr/local/share/certs/
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
tls_outgoing_options 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options flags=DONT_VERIFY_PEER
sslcrtd_children 10

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/27
forwarded_for transparent
httpd_suppress_version_string on
uri_whitespace strip

acl getmethod method GET

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain dc1-st.ksn.kaspersky-labs.com
acl windowsupdate dstdomain dc1-file.ksn.kaspersky-labs.com
acl windowsupdate dstdomain dc1.ksn.kaspersky-labs.com

acl rewritedoms dstdomain .facebook.com .akamaihd.net .fbcdn.net .google.com 
.static.com .apple.com .oracle.com .sun.com .java.com .adobe.com 
.steamstatic.com .steampowered.com .steamcontent.com .google.com

store_id_program /usr/local/libexec/squid/storeid_file_rewrite 
/var/squid/storeid/storeid_rewrite.txt
store_id_children 10 startup=5 idle=1 concurrency=0
always_direct allow !getmethod
store_id_access deny connect
store_id_access deny !getmethod
store_id_access allow rewritedoms
reload_into_ims on
max_stale 20 years
minimum_expiry_time 0


refresh_pattern -i squid.internal 10080 80% 79900 override-lastmod 
override-expire ignore-reload ignore-no-store ignore-must-revalidate 
ignore-private ignore-auth

#APPLE STUFF
refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 
0 80% 43200  refresh-ims

#a