-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey Jason,
Indeed it is nasty.
I do not remember now how I advised in the past to defend against this
issue.
There is a "risk" in every system operation and this is one of them.
You indeed found this "bug" or security vulnerability!
Specially on linu
Typical, I figured out an iptables workaround within seconds of sending
my last email
I still think squid needs to be able to stop this DoS, but this will
stop the issue occurring
iptables -t nat -A PREROUTING -d proxy.ip -i lan.interface -p tcp -m tcp
--dport 3127 -j REDIRECT --to-ports 9876 #98
On 12/11/14 18:59, Amos Jeffries wrote:
>
> That being one of the "NAT security vulnerabilities" mentioned as
> reason for mangle table rules.
Sorry, I should have said that if I remove the iptables 443 redirect
rule, it still occurs!
>
> 3) Squid connected there to fetch the SSL certificate deta
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/11/2014 5:49 p.m., Jason Haar wrote:
> Hi there
>
> I was reading this list about the issue with google.com and was
> playing around - and I used telnet to connect directly to the
> intercept ssl-bump port. End result was squid immediately went
Hi there
I was reading this list about the issue with google.com and was playing
around - and I used telnet to connect directly to the intercept ssl-bump
port. End result was squid immediately went to 99% CPU, and the
cache.log started reporting
WARNING! Your cache is running out of filedescripto
