Deny ports to users

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Deny ports to users

Jonathan thomas Cho
Hello, I was curious how to restrict users from accessing ports . 

I have 4 workers and need them to have their own ports and not able to use the other 3.  

I currently use :

http_port 3128 name=ip2
http_port 3129 name=ip3
http_port 3130 name=ip4

acl ip2 myip x.x.x.2
acl ip3 myip x.x.x.3
acl ip4 myip x.x.x.4
tcp_outgoing_address x.x.x.2 ip2
tcp_outgoing_address x.x.x.3 ip3
tcp_outgoing_address x.x.x.4 ip4

However 3129 still work on all 4 ports.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Deny ports to users

Yuri Voinov

You choose not appropriate tool for you task.

Squid is a proxy, not a firewall.


17.11.2017 1:40, Jonathan thomas Cho пишет:
Hello, I was curious how to restrict users from accessing ports . 

I have 4 workers and need them to have their own ports and not able to use the other 3.  

I currently use :

http_port 3128 name=ip2
http_port 3129 name=ip3
http_port 3130 name=ip4

acl ip2 myip x.x.x.2
acl ip3 myip x.x.x.3
acl ip4 myip x.x.x.4
tcp_outgoing_address x.x.x.2 ip2
tcp_outgoing_address x.x.x.3 ip3
tcp_outgoing_address x.x.x.4 ip4

However 3129 still work on all 4 ports.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

-- 
**************************
* C++: Bug to the future *
**************************

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (662 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Deny ports to users

Amos Jeffries
Administrator

On 17/11/17 08:42, Yuri wrote:
> You choose not appropriate tool for you task.
>
> Squid is a proxy, not a firewall.
>

Indeed.


>
> 17.11.2017 1:40, Jonathan thomas Cho пишет:
>> Hello, I was curious how to restrict users from accessing ports .
>>
>> I have 4 workers and need them to have their own ports and not able to
>> use the other 3.
>>
>> I currently use :
>>
>> http_port 3128 name=ip2
>> http_port 3129 name=ip3
>> http_port 3130 name=ip4

The above are directives for the *listening* ports receiving
client<->Squid connections.

You have here configured this Squid *process* (all workers of it) to use
port 3128 on all IP addresses the machine has been assigned. Same for
port 3129 and 3130.

Squid cannot control which port a client decides to connect to. It can
only listen (or not).

I assume you mean you want each worker to use different listening ports.
That can be done by using the ${process_number} config macro in the port
number itself eg. http_port 313${Process_number}.
  However, be aware that will lead to issues with the coordinator
process not being able to manage SMP port functionality and worker
automatic restart after crashes will have issues since the process
number changes there too. And you thus cannot reliably use the port
name/number for other things like you seem to be wanting.


>> >> acl ip2 myip x.x.x.2
>> acl ip3 myip x.x.x.3
>> acl ip4 myip x.x.x.4

"myip" is deprecated, it does not work at all well. Use "myportname"
instead.

Your Squid should complain about this when you run '-k parse' to check
your config validity. If your Squid does not support that new ACL type
you definitely need to upgrade.


>> tcp_outgoing_address x.x.x.2 ip2
>> tcp_outgoing_address x.x.x.3 ip3
>> tcp_outgoing_address x.x.x.4 ip4
>>

These are for Squid<->server connections. Has nothing to do with
client<->Squid connections.

The OS selects which ports are use here. Not Squid.


>> However 3129 still work on all 4 ports.
>>

3129 is a port number. Singular. It does not *listen* on other values.

The traffic arriving on connections *to* there is independent of the
outgoing connection port numbers - which are not controllable as
mentioned above. So it is not clear what you are trying to say by that.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users