Bugtraq mailing list archives

Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]

From: Tommaso Di Donato <t.didonato () sicurweb it>
Date: Fri, 22 Feb 2002 17:27:44 +0100

The authors of Squid sorted that problem out YEARS ago. The default ACLs
within Squid state:

acl SSL_ports port 443 563
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

i.e. you can only use the CONNECT proxy option for ports 443 and 563.

I'm amazed this isn't the default in other products...


I love Squid, and yes, default Squid configuration solves this problem...

But if you want a secure proxy, you have to change the parameter http_portto listen only to your internal IP address!!! Default config is:

http_port 0.0.0.0

so anyone from the internet can use your proxy (I fond a lot of server soconfigured!!!!). Change it to

http_port 192.168.1.254 #private IP

My 0.02...

Tommaso Di Donato

Current thread:

Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Tommaso Di Donato (Feb 23)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Keith Simonsen (Feb 23)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Kurt Seifried (Feb 25)