----- Original Message ----- From: croilan cruz
To: plug@lists.linux.org.ph
Sent: Saturday, September 16, 2006 10:56 AM
Subject: [plug] re:squid-http open

Dearest all,

i just wanna give thanks those who replied to my mail concerning
on squid, who ever ( fooler ) is a million thanks, as in your letter
u discuss syn,rst,ack etc these tcp flags are putting me a head ache
on how to configure the firewall. ex. if your firewall ip was tag being
rejected in sorbs or cbl in what aspect do i need to reconfigure the
firewall?
i put example in the cbl  recommendation but still get firewall ip
to their list.

my set up
                              <net> ------<firewall> ----- <dmz>

any tip to handle this problem....

you have two options to protect your squid from open relay and these are:

1. layer 3 firewall thru iptables
2. layer 7 firewall thru squid's acl

a simple rule both for the two options is to allow the good ip addresses to access your proxy and the rest deny it...

which ever option you prefer.... it will protect you from open relay outside of your good ip addresses listed...

but.... protecting your proxy from open relay doesnt mean you are free from sorbs or cbl database list of bad IPs... if one of the good ip addresess you listed was compromise and used your proxy as relay (since it allowed to access it).. still you are mark as bad ip...

fooler.


_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
plug@lists.linux.org.ph (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph

Reply via email to