[KLUG Members] Bogus header for Squid

[Tony Gettig]

On Wed, 2005-03-30 at 15:47 -0500, Bruce Smith wrote:
> > > You're running a squid server exposed to the Internet?
> >
> > Nope. Internal only. Sorry, I should have clarified that. :)
> 
> Bummer, I was going to ask for the IP!  ;-)
> 

You and the rest of the Linux savvy users on my network! :)

> > Squid ACL's are configured to only accept connections from localhost,
> > but the port responds as open when scanning from the inside. Client PC's
> > connect at a port other than 3128 for purposes of filtering. The path
> > out looks like this:
> > 
> > client PC --> filter port --> 3128(localhost) --> web
> 
> OK, you're running some kind of squidguard package on the same box that
> forwards valid requests thru squid?

Yep. And it's doing a great job. This box replaced an existing proxy
server and is keeping up really well. By my estimation, we've got
approximately 4,000 users going through it. Unscheduled downtime has
been zero since the switch, and administration is a breeze. The
filtering software needs a little tweaking still, but I'm pretty happy
with it overall.

> 
> > Is it possible and/or recommended to have an iptables rule to drop any
> > traffic on 3128 except from localhost? That way it wouldn't respond. Am
> > I right in thinking that?
> 
> Yeah, you can do that easily with iptables.  
> 
> Although I'm not sure what it's going to gain you as long as people
> really can't set their browsers to use port 3128 and bypass the filter
> (other than a cleaner nessus report).

That's what I'm after. I want the report to be as clean as possible for
presentation. The squid ACL works, so if they don't go through the
filter, they don't get out.