[squid-users] TCP_MISS/502 - audio stream - none default http ports
Dörfler, Andreas
Andreas.Doerfler at kempten.de
Wed Sep 19 07:09:30 UTC 2018
Am Mittwoch, den 19.09.2018, 14:38 +1200 schrieb Amos Jeffries:
> This statement is false, and very bad security practice. Squid handles
> HTTP-level access controls. Firewalls handle network-layer access
> control. Either way multiple layers of security that work together are
> better than one - in case that one is compromised.
> ....
> Like the other default rules this "deny all" serves multiple purposes -
> along with the obvious access control to the network it is about denying
> "legitimate" clients trying to make Squid do extremely resource
> consuming things which are not permitted by your policy. Such as flood
> the internal network with Tbps of traffic, or port-scan services they
> are not normally allowed access to by the firewall.
hey amos,
thanks for your feedback, it's realy appreciated.
i re-enabled deny all, even when i still don't see any benifit, because:
without giving away to mutch internals, in my case allow all is still
ok, only a very few subnets have a route to this system and the
firewalls are working on a combination of layer 3 and 5-7 and also
running ssl-inspection to this specific squid.
but you are right, every layer counts.
greetings,
andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6343 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180919/808e5a75/attachment.bin>
More information about the squid-users
mailing list