Re: deny !Safe_ports, any critical reasons? ...

From: Jens-S. Voeckler <voeckler@dont-contact.us>
Date: Mon, 1 Feb 1999 18:18:57 +0100

Sorry for the late response,

but I stumbled over Squid's default "Safe_Ports" notion recently:

        acl Safe_ports port 80 21 443 563 70 210 1025-65535

After activating this on one of my caches and watching for a short while,
I arrived at the conclusion that the default Safe_port ACL is not feasible
for the toplevel caches in my hierarchy -- too many users were denied
access to weird ports. Curious about the distribution of ports used, I
combed through one weekday worth of logfiles:

46,233,711 lines in logfiles
46,221,829 valid entries processed
45,550,589 requests for port 80 (98.55 %)
   625,824 requests on ports >= 1024 (1.35 %)
    45,416 requests on reserved ports (0.10 %)

Results on what ports were used can be found at (for the interested):

        http://statistics.www-cache.dfn.de/PrivateArea/1B16BBFD.html

Admittedly, there are a bunch of holes which I must disallow in my next
configuration attempt, but there are also a bunch of weird ports used by
trackers and/or webservers, which would be disallowed by the ACL mentioned
above. It seems, ports 81, 82, 88 and 90 are quite regularly used.

On Tue, Jan 07, 1999 at 22:51:52 +1300, Chris Wedgewood wrote:
]On Thu, Jan 07, 1999 at 02:24:01PM +1300, Jason Haar wrote:
]
]> acl unsafe_ports port 1 7 9 11 13 15 17 19 20 22 23 25 26 27 37 43
]> 53 57 70 77 79 87 88 95 101 102 103 109 110 110 111 111 113 115 117
]> 119 123 137 138 143 144 465 563 512 513 514 515 520 526 530 531 532
]> 540 543 544 556 600 749 750 751 754 992 993 995 989 990 442 465 563
]> 992 993 994 995 989 990 901 1080
]
]OK -- this still leaves plenty of ports people might do bad things
]with.
]
]I think a policy of 'allow all except some' is generally a bad idea;
]'allow none except some' is better IMO.
]
](Off the top of my head) Your list doesn't include 21 (ftp command),
]139 (Windows NetBIOS), 135 (Windows DCOM), 1433 (MS SQL server), 7010
](common Sybase SQL server), etc.
]
] [...]
]
]> I agree with you that the best idea is to scan your logs to see
]> what ports people are using...
]
]Why -- I only allow people to use connect with 443 and 563 -- I see
]no reason for them to use a squid proxy a connection on any other
]port.

Now, even though I would love to go with Chris' safe approach, for
toplevel caches I have to use Jason's style so far. FYI, in case you
stumbled over the Safe_ports ACL, too.

Le deagh dhùrachd,
Dipl.-Ing. Jens-S. Vöckler (voeckler@rvs.uni-hannover.de)
Institute for Computer Networks and Distributed Systems
University of Hanover, Germany; +49 511 762 4726
Received on Mon Feb 01 1999 - 10:12:35 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:19 MST