[squid-users] TCP_MISS/502 - audio stream - none default http ports

Dörfler, Andreas Andreas.Doerfler at kempten.de
Wed Sep 19 07:09:30 UTC 2018

Am Mittwoch, den 19.09.2018, 14:38 +1200 schrieb Amos Jeffries:

> This statement is false, and very bad security practice. Squid handles
> HTTP-level access controls. Firewalls handle network-layer access
> control. Either way multiple layers of security that work together are
> better than one - in case that one is compromised.
> ....
> Like the other default rules this "deny all" serves multiple purposes -
> along with the obvious access control to the network it is about denying
> "legitimate" clients trying to make Squid do extremely resource
> consuming things which are not permitted by your policy. Such as flood
> the internal network with Tbps of traffic, or port-scan services they
> are not normally allowed access to by the firewall.

hey amos,

thanks for your feedback, it's realy appreciated.

i re-enabled deny all, even when i still don't see any benifit, because:
without giving away to mutch internals, in my case allow all is still
ok, only a very few subnets have a route to this system and the
firewalls are working on a combination of layer 3 and 5-7 and also
running ssl-inspection to this specific squid.

but you are right, every layer counts.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6343 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180919/808e5a75/attachment.bin>

More information about the squid-users mailing list