RE: [squid-users] Proxy on Firewall...

From: Ward, John (GroupWare) <john@dont-contact.us>
Date: Mon, 13 May 2002 11:37:31 +0200

simply dont filter the source ports, its madness

-----Original Message-----
From: bebad@gmx.net [mailto:bebad@gmx.net]
Sent: 13 May 2002 11:25
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Proxy on Firewall...

> When fetching content, Squid is a TCP/IP client. As such the OS will
> assign "random high ports" (see
> /proc/sys/net/ipv4/ip_local_port_range) to Squid per outgoing TCP
> connection.
>
> A simple test of your firewall rules is to try with any kind of
> browser running on the firwall. If you don't have X use a text based
> browser such as lynx.
>
> There will also be a random UDP port involved for DNS resolving, but
> this will only talk to your configured DNS server(s) and is easier to
> filter.
>
> Regards
> Henrik Nordström

Sorry, but i didn't understand what you try to explain me... I already know,
that the proxy use a port >1024 to establisch a connection to the internet.
My problem is, that it seems to use ports >1024 DYNAMICALLY, and I am not
willed to open my firewall for a full range of ports >1024... So i asked,
why
squid uses those ports or how to tell squid just only use one definite
port...

2. random DNS udp port? does this means, the port changes sometimes? how can
i tell this my firewall without open a range of ports - because i dont have
an dnsserver running ??
>
> On Monday 13 May 2002 09:57, bebad@gmx.net wrote:
> > Hello,
> >
> > i use a Suse Linux 7.0 Distribution with a 2.2 Kernel. My Firewall
> > is configured with ipchains.
> > I installed the latest version of the Squid Proxy and it works -
> > until i activate the firewall rule:
> > ipchains -P input DENY
> >
> > Even if i try to open some ports like 3128, 8080, 80, 21, 1047,
> > 1066 and so on, users behind the firewall can't use the proxy for
> > surfing anymore. I used the iptraf program and saw that the proxy
> > tried something on different ports (starting at 1074). So i opened
> > this port. It works, now the user behind the firewall could achieve
> > the requested url. But the next time the user request an url, the
> > proxy tried to use port 1075 for something (still what? dns
> > resolving??) and this port is still closed... How can i tell Squid
> > just to use definite ports???
> > I don't have a dnsserver running on that machine, because i use the
> > dnsserver of my isp...
> >
> > I would be glad for any help...
> >
> > Best regards
> > a frustated Linux neewbie :-((
>
> --
> MARA Systems AB, Giving you basic free Squid support
> Your source of advanced web reverse proxying solutions
> http://www.marasystems.com/products/
>

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Received on Mon May 13 2002 - 12:08:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:06 MST