By default webproxy is disabled. If it's enabled by default it's open to be used by anyone. The best thing to do when enabling the webproxy is to create a list of accepted ips authorized to use the proxy then finish up with a rule denying all other ips. This would be done in the webproxy acl. Also another good rule is to on the core router block all inbound proxy port traffic into your network (8080, 8081, 3164(?)).
/Eje Sent via BlackBerry from T-Mobile -----Original Message----- From: "Tom DeReggi" <[email protected]> Date: Thu, 9 Jul 2009 09:33:46 To: <[email protected]>; WISPA General List<[email protected]> Subject: Re: [WISPA] Who left the web proxy open? Wow, good find, sounds like something other unsuspecting Mikroik users might run in to. So where was all the web proxy data comming from? Was it all random external connections from the Internet? One moral to the story is turn of web proxy, but..... are there best practices (firewalling, session limits, etc) for effectively using web proxies, to prevent that? Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband ----- Original Message ----- From: "[email protected]" <[email protected]> To: <[email protected]> Sent: Thursday, July 09, 2009 9:17 AM Subject: [WISPA] Who left the web proxy open? > For the past month I've been noticing the bandwidth on one of our > upstreams going through the roof. > When doing the math for each tower location, it added up to far less > than the bandwidth through > our upstream providers. > > So, ran Mikrotik Torch and what do you know.... it was all web proxy > traffic. Sure enough the > web proxy was turned on and wide open in the Mikrotik router. This > router had the biggest > drop in traffic but the others had similar drops due to BGP. > -------------------------------------------------------------------------------- > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
