Re: confusing warnings

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 08 Nov 2012 11:11:59 +1300

> On 11/7/2012 5:40 PM, Christian wrote:
>> what's wrong with this:
>> #acl manager proto cache_object
>> #acl localhost src 127.0.0.1/32 ::1
>> acl localhost src 127.0.0.1/32
>> #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

Whats wrong is that:

* you have removed the IPv6 localhost definitions. Erasing any security
permissions these ACLs would have provided to IPv6 traffic (for both
allow AND deny usage cases). It is best practice to ensure that you have
consistent security behaviour for both IPv4 and IPv6 traffic.

* the ACLs "manager", "localhost" and "to_localhost" are now built-in
definitions. see http://www.squid-cache.org/Doc/config/acl/

We have had to do this for several reasons:
  1) it presents a shorter less confusing default config, and less ways
to get ACL and *_access lines in the wrong order.

  2) it helps us roll out 0.0.0.0/32 and similar protection to existing
installations who ignore the config file changes unless they bite.

  3) people deciding that since they don't need IPv6 they can remove ::1
etc from the localhost definitions (exactly like you did above!). Which
*prevent* Squid from providing any IPv6 traffic security on those
connection types (eg "http_access deny localhost" can allow IPv6
localhost through).

On 08.11.2012 04:57, Eliezer Croitoru wrote:
> you do understand that there is not such thing as "0.0.0.0/32" ??

There is. It means the explicit single RESERVED address "0.0.0.0".
Sending traffic there is forbidden, but some TCP stacks permit it to be
used like 127.0.0.1 and that can result in forwarding loop DoS
vulnerabilities.

As to the warnings ...

Amos
Received on Wed Nov 07 2012 - 22:12:03 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 08 2012 - 12:00:05 MST