From owner-freebsd-questions@FreeBSD.ORG Tue Mar 23 12:37:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E22416A4D1 for ; Tue, 23 Mar 2004 12:37:30 -0800 (PST) Received: from sf_pdc.bellsouth.net (adsl-068-153-193-050.sip.bct.bellsouth.net [68.153.193.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8002343D45 for ; Tue, 23 Mar 2004 12:37:29 -0800 (PST) (envelope-from bobc@sfcei.com) Received: by sf_pdc with Internet Mail Service (5.5.2448.0) id ; Tue, 23 Mar 2004 15:18:32 -0500 Message-ID: From: bobc@sfcei.com To: FreeBSD-Questions@freebsd.org Date: Tue, 23 Mar 2004 15:18:26 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Subject: squid and it's config, a question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Mar 2004 20:37:30 -0000 I am looking to set up squid proxy for my lan, and think I have a correct config to make sure the proxy is not open. I am asking the list as opposed to the squid lists, as I prefer to ask the FBSD list first when it is somewhat FBSD related. I will be running this on a FBSD 4.9 box. This box has two NICs in it, one connected to the router and one to the lan. After looking through the docs, I think I am correct in listing the internal network 10.1.1.x 255.0.0.0 as such: acl internal src 10.1.1.0/24 http_access deny !internal I placed the above at the start of the file to jump right in and get this set. And further into the squid.conf file the following: #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 10.1.1.5/255.0.0.0 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT Here the squid server will be IP 10.1.1.5 255.0.0.0. I have no references to localhost as 127.0.0.1r, and no references to the external IP in this file anywhere. I am assuming, perhaps incorrectly which is often the case for me :-), that this should be sufficient and safe from being open to the world. Thank you very much for your time and patience with this. And yes I did RTFM, but I want to be sure as sometimes the FM is beyond me. -- Bob "Play is the work of children. It's very serious stuff. And if it's properly structured in a developmental program, children can blossom." -Bob Keeshan aka `Captain Kangaroo'