Proxies, transparent and otherwise, ports to use. (was Re: upgrading more than one box...)

Mon, 20 Aug 2001 22:58:33 -0500 

on Tue, Aug 21, 2001 at 12:02:22AM +0200, "Jürgen A. Erhard" ([EMAIL 
PROTECTED]) wrote:
> >>>>> "Karsten" == Karsten M Self <kmself@ix.netcom.com> writes:
> >>>>> "Dave" == Dave Carrigan <[EMAIL PROTECTED]> writes:
> 
>     Dave> Also, if you prefer not to use a transparent cache (I
>     Dave> sometimes want to bypass squid), then you can install a
>     Dave> normal squid proxy and set an environment variable:
> 
>     Dave> http_proxy=3Dhttp://squidbox.dom.ain:3128/
> 
>     Dave> Apt honors the http_proxy environment variable if it's set.
> 
>     Karsten> True.  But with a transparent proxy on your gateway
>     Karsten> there's *no* client or node configuration to be done to
>     Karsten> utilize it -- for any host served by that gateway.
>     Karsten> Hence: transparent.
> 
> I'm not sure, but IIRC a proxy def (either by http_proxy or by
> configuring the app) works for *all* http accesses, no matter which
> port.

Interesting.  Hadn't thought of that, but there are a number of outbound
ports that I find web services on.

Since I also proxy through Junbuster, I know what ports I'm letting
through:

    :80
    :81
    :88
    :8000
    :8001
    :8009
    :8080
    :8081
    :8881

I suppose I could at forward rules for each of these ports to go through
my squid proxy.  Anyone know a good definitive list of standard web
ports?  I'm assuming:

    80-81       (/etc/services shows no services for ports 81-86)
    8000-8009   (nmap services shows 8007:jserv, 8009 ajp13)
    8080-8089   (nmap: 8080:http proxy, 8081:blackice-icecap, 
                 8082: blackice-alerts)
    8880-8889   (unregistered)

Looks like 80, 81, 8000, 8001, and 8080 would be good bets for bulk of
traffic. 

> So, to really be transparent, you'd need to redirect all HTTP acesses
> to your firewall's cache.  Hmmm... can iptables analyze the protocol
> the connection is using?

Good question.  I'm just getting into more advanced packet filtering
issues myself.

-- 
Karsten M. Self <kmself@ix.netcom.com>          http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?             There is no K5 cabal
  http://gestalt-system.sourceforge.net/               http://www.kuro5hin.org
   Free Dmitry! Boycott Adobe! Repeal the DMCA!    http://www.freesklyarov.org
Geek for Hire                        http://kmself.home.netcom.com/resume.html

Attachment: pgpUi5MQ7X3H9.pgp
Description: PGP signature

Reply via email to