On Tue, 23 Mar 2004, Karl Sumpter wrote: > I've been seeing users start to tunnel thru my squid caches, especially > for connecting to IRC servers. I get CONNECT lines in my log either > going to 6667 (irc default)
This is blocked by the default CONNECT restrictions in the squid.conf shipped with Squid. See SSL_ports. > or more sneakily, 443. As there are is a sizable number of irc servers > my users are connecting to, and the fact CONNECT is used for regular > https websites, i can't block the method or the hostnames/ip's. Blocking by destination hostname/ip is basically the only reliable way of blocking this kind of sneaky abuse. > I recompiled squid to log user-agents, but again, anything coming in on > a CONNECT does not show up - i thought at least i could identify the irc > clients and block them with an "browser" ACL. Should work.. But this would most likely only buy you some time.. if users find out you are doging this they will in many cases just change what their tunneling aplication advertises itself as to make it look like MSIE. > So i guess what i am asking, is there an easier, more maintainable way > to stop this rather than spending day after day compiling ip lists for > multiple servers - I'm really hoping for a one-liner here. The most effective method is to have a enforceable policy in your termos of use where users abusing the service in this manner get a noticable penalty. This solution is mostly a adminastrative one, technology is just a tool to help you monitor and maintain the set policy. Regards Henrik
