[H-GEN] Squid forwarded_for option

Ted Percival ted at midg3t.net
Wed Jan 21 20:10:12 EST 2009 

David Duffy (AVD) wrote:
> Ted Percival wrote:
>> David Duffy (AVD) wrote:
>>   
>>> I have a Debian server with squid running. The forwarded_for option was
>>> turned on by default. I have now turned it off. Was there any inherent
>>> security problem with outside people knowing the internal IP address of
>>> the (Windows) boxes? This server does have firewall rules in place.
>>>   
>>>     
>> There is only a problem if you believe in security through obscurity.
>>   
> 
> So, what you're saying is that it poses no additional threat? ie. A
> properly configured server will be equally as effective whether or not
> the forwarded_for option is turned on.

Right, it doesn't affect the operation of Squid at all except for
whether it adds that informational header. Remote sites can do what they
like with it, there's no guarantee that it's valid or that it means
anything. In theory you might get different behaviour from a site that
trusts that header to distinguish distinct clients. For example by
combining The X-Forwarded-For address with the requesting machine's
address they can come up with a reasonably reliable identifier for a
machine that is being proxied, even if it has the same non-routable
192.168.x.x IP address as a few hundred thousand other machines in the
world. As an unofficial header ("X-" prefix) it's not part of the HTTP
1.1 protocol (RFC 2616) so it can just as easily contain a quote by your
favourite author and still be HTTP-compliant.

But you asked about security, not privacy or functionality.

Whether your internal machines have routable or non-routable IP
addresses matters little too. If someone can get access to that network,
it's trivial to find out the machines' IP addresses. If they have
publicly routable IP addresses then one can make some educated guesses
based on the nearby IP address ranges, or if all else fails just send
requests to all 4 billion addresses. It's not that many.

If they have non-publicly-routable IP addresses like 192.168.x.x then
there are only a few tens of thousands of possible addresses, maybe as
few as 255, that an attacker need try to find a single machine. There is
*nothing* secret about IP addresses. I guess you can draw analogy with
street addresses. You can hide your street address all you like, but
it's trivial to determine whether there is a house at a particular
address. If you want to make it hard for a burglar to break in, you need
real security in the form of locks. This analogy extends reasonably for
non-publicly routable IP addresses too: consider a gated community. It's
a little harder to determine whether there is a house at a particular
street address if you can't get past the gate (router), but once someone
is inside the gate (perhaps invited by a resident or by tunnelling under
the fence) they can access your house just as easily - so you should
still use locks.

More information about the General mailing list