RE: [squid-users] CONNECT issues from Diamond King on 2005-01-27 (squid-users)

From: Diamond King <mercyful_fated@dont-contact.us>
Date: Thu, 27 Jan 2005 01:27:13 -0800 (PST)

Dear all,

Sorry for late reply. After further tracking, i
managed to re-check the squid configuration files and
below are the acls list :-

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny Bad_Domains
http_access deny Bad_Ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow our_networks
http_access allow manager localhost

I purposely did not include the bad_domains acl
because it is kinda long and would eventually messed
up when i posted up in the mailing list. I can
confirmed that the acl is correct anyway.

After restart squid, i viewed the access.log files to
watch out for CONNECT strings. Well, this time, it is
different though. There are no more TCP_MISS:DIRECT at
the end of the log, instead, i got TCP:DENIED. Does
this mean i am successfully block those p2p or
tunneling softwares?

--- Henrik Nordstrom <hno@squid-cache.org> wrote:

> On Mon, 10 Jan 2005, Diamond King wrote:
>
> > I`ve checked the configuration file and it seems
> > that only port 443 and 563 were connected to
> SSL_Ports
> > acl rule.
>
> You then have some error in your http_access rules,
> allowing things you
> did not intend to allow.
>
> >>> 192.168.25.220 - - [10/Jan/2005:11:24:38 +0800]
> >>> "CONNECT 213.103.81.214:3518 HTTP/1.0" 200 223
> >>> TCP_MISS:DIRECT
>
>
> > What's the usage of port 563 anyway?
>
> nntps, NNTP over SSL. Supported by many browsers and
> is why it is in the
> default allowed list.
>
> > By the way, any other way to check what exactly
> those logs for? is it
> > attempt by kazaa users? Thanks again!
>
> If you are lucky then a meaningful user-agent string
> is included.. visible
> if you enable log_mime_hdrs. But most likely this is
> blank or forged.
>
> Regards
> Henrik
>

__________________________________
Do you Yahoo!?
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com
Received on Thu Jan 27 2005 - 02:27:15 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:36 MST