Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]
From: Tommaso Di Donato <t.didonato () sicurweb it>
Date: Fri, 22 Feb 2002 17:27:44 +0100


The authors of Squid sorted that problem out YEARS ago. The default ACLs
within Squid state:

acl SSL_ports port 443 563
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

i.e. you can only use the CONNECT proxy option for ports 443 and 563.

I'm amazed this isn't the default in other products...

I love Squid, and yes, default Squid configuration solves this problem...
But if you want a secure proxy, you have to change the parameter http_port to listen only to your internal IP address!!! Default config is:
http_port 0.0.0.0
so anyone from the internet can use your proxy (I fond a lot of server so configured!!!!). Change it to
http_port 192.168.1.254 #private IP

My 0.02...

Tommaso Di Donato


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]