Hi Amos, thank you for your help. And when I understand right I can remove those two acl's, because they are already built_in.
Thank you very much. Chris Am 07.11.2012 23:11, schrieb Amos Jeffries: >> On 11/7/2012 5:40 PM, Christian wrote: >>> what's wrong with this: >>> #acl manager proto cache_object >>> #acl localhost src 127.0.0.1/32 ::1 >>> acl localhost src 127.0.0.1/32 >>> #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 >>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 > > Whats wrong is that: > > * you have removed the IPv6 localhost definitions. Erasing any > security permissions these ACLs would have provided to IPv6 traffic > (for both allow AND deny usage cases). It is best practice to ensure > that you have consistent security behaviour for both IPv4 and IPv6 > traffic. > > * the ACLs "manager", "localhost" and "to_localhost" are now built-in > definitions. see http://www.squid-cache.org/Doc/config/acl/ > > We have had to do this for several reasons: > 1) it presents a shorter less confusing default config, and less ways > to get ACL and *_access lines in the wrong order. > > 2) it helps us roll out 0.0.0.0/32 and similar protection to existing > installations who ignore the config file changes unless they bite. > > 3) people deciding that since they don't need IPv6 they can remove > ::1 etc from the localhost definitions (exactly like you did above!). > Which *prevent* Squid from providing any IPv6 traffic security on > those connection types (eg "http_access deny localhost" can allow IPv6 > localhost through). > > > On 08.11.2012 04:57, Eliezer Croitoru wrote: >> you do understand that there is not such thing as "0.0.0.0/32" ?? > > There is. It means the explicit single RESERVED address "0.0.0.0". > Sending traffic there is forbidden, but some TCP stacks permit it to > be used like 127.0.0.1 and that can result in forwarding loop DoS > vulnerabilities. > > As to the warnings ... > > Amos > -- Christian ---------------------------------------------------- - Please do not 'CC' me on list mails. Just reply to the list :) ---------------------------------------------------- Der ultimative shop für Sportbekleidung und Zubehör http://www.sc24.de ----------------------------------------------------
