[Dshield] Inbound TCP traffic from port 3128 -- is it ok?

Ed Truitt truited at raq2.mylinuxisp.com
Thu Jan 30 18:48:57 GMT 2003


If you are talking to your ISP's squid proxy on port 3128 (you send from high port to 3128, squid sends from 3128), then you should be OK allowing traffic from source port 3128 through your firewall (for that IP address, or that server name.)  

I would NOT open 3128 to the world, as it is one that is subject to being probed (for persons looking for open http proxies.)

On Thu, Jan 30, 2003 at 03:43:07PM -0200, Andre Costa wrote:
> Hi folks,
> 
> I have just switched ISPs here, and I am now hooked to one that uses
> squid. These lines started showing on my log:
> 
> Jan 30 15:39:22 shadow kernel: IN=eth0 OUT=
> MAC=00:e0:7d:cd:61:6b:00:05:5f:ea:1c:70:08:00 SRC=200.239.245.33
> DST=200.234.189.157 LEN=1500 TOS=0x00 PREC=0x00 TTL=60 ID=35360 DF
> PROTO=TCP SPT=3128 DPT=33209 WINDOW=6600 RES=0x00 ACK URGP=0 
> 
> I looked at IANA port assignments, and found out that TCP 3128 is
> assigned to ndl-aas; further research showed this is squid's default
> port for its proxy service.
> 
> Is it safe to allow this kind of traffic (only if it comes from the
> above server)? What do you gurus suggest?
> 
> TIA
> 
> Andre
> 
> -- 
> Andre Oliveira da Costa
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

-- 
<==============================================================>
Edward D. (Ed) Truitt
email:  ed.truitt at etee2k.net      
http://www.etee2k.net 
"Note to spammers: my 'delete' key is connected to YOUR ISP. 
Also, if you send me UCE, I reserve the right to post your spew 
on my Web site, with the appropriate color commentary, so that 
others may have a good laugh at your expense."



More information about the list mailing list