[24393] in bugtraq
Re: UPDATE: [wcolburn@nmt.edu: SMTP relay through checkpoint firewall]
daemon@ATHENA.MIT.EDU (Keith Simonsen)
Sat Feb 23 10:30:51 2002
Date: Fri, 22 Feb 2002 16:44:00 -0800
From: Keith Simonsen <bangel@elite.net>
To: Tommaso Di Donato <t.didonato@sicurweb.it>
Cc: bugtraq@securityfocus.com
Message-ID: <20020222164359.A32314@peach.elite.net>
Mail-Followup-To: Tommaso Di Donato <t.didonato@sicurweb.it>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.1.0.14.0.20020222172736.0259f818@popmail.sicurweb.com>; from t.didonato@sicurweb.it on Fri, Feb 22, 2002 at 05:27:44PM +0100
Tommaso,
You are right that the default squid.conf binds to all ip's
But if you scroll down the the ACL section:
acl all src 0.0.0.0/0.0.0.0
#Default:
# http_access deny all
So anyone from the net trying to use your proxy will get denied.
You have to explicitly add acl's to allow any access to the proxy.
Looks like the squid defaults are pretty secure.
-Keith
On 22/02/02 17:27 +0100, Tommaso Di Donato wrote:
>
>
> I love Squid, and yes, default Squid configuration solves this problem...
> But if you want a secure proxy, you have to change the parameter http_port
> to listen only to your internal IP address!!! Default config is:
> http_port 0.0.0.0
> so anyone from the internet can use your proxy (I fond a lot of server so
> configured!!!!). Change it to
> http_port 192.168.1.254 #private IP
>
> My 0.02...
>
> Tommaso Di Donato
