The simplest way to make sure this doesn't happen is to use Squid's internal configuration and only bind it to the internal interface(s), not letting the outside world attempt to use it as a proxy to get at your internal LAN. In addition to this, firewalling it is a good idea. Fortunately Squid has very good ACL's (Access Control Lists) built into the squid.conf file, allowing you to lock down access by names, IP’s, networks, time of day, actual day. Remember however that the more complicated an ACL is, the slower Squid will be to respond to requests.
Example where requests from 10.0.0.0/24 will be forwarded with source address 10.1.0.1,
10.0.2.0/24 forwarded with source address 10.1.0.2 and the rest will be forwarded with source address 10.1.0.3.
acl abc src 10.0.0.0/24
acl xyz 10.0.2.0/24
tcp_outgoing_address 10.1.0.1 abc
tcp_outgoing_address 10.1.0.2 xyz
tcp_outgoing_address 10.1.0.3
This will prevent anyone from using Squid to probe your internal network.
0 comments:
Post a Comment