[H-GEN] Squid forwarded_for option

David Duffy (AVD) david at audiovisualdevices.com.au
Wed Jan 21 20:26:44 EST 2009 

Ted Percival wrote:
> David Duffy (AVD) wrote:
>   
>> Ted Percival wrote:
>>     
>>> David Duffy (AVD) wrote:
>>>   
>>>       
>>>> I have a Debian server with squid running. The forwarded_for option was
>>>> turned on by default. I have now turned it off. Was there any inherent
>>>> security problem with outside people knowing the internal IP address of
>>>> the (Windows) boxes? This server does have firewall rules in place.
>>>>   
>>>>     
>>>>         
>>> There is only a problem if you believe in security through obscurity.
>>>   
>>>       
>> So, what you're saying is that it poses no additional threat? ie. A
>> properly configured server will be equally as effective whether or not
>> the forwarded_for option is turned on.
>>     
> I guess you can draw analogy with
> street addresses. You can hide your street address all you like, but
> it's trivial to determine whether there is a house at a particular
> address. If you want to make it hard for a burglar to break in, you need
> real security in the form of locks. This analogy extends reasonably for
> non-publicly routable IP addresses too: consider a gated community. It's
> a little harder to determine whether there is a house at a particular
> street address if you can't get past the gate (router), but once someone
> is inside the gate (perhaps invited by a resident or by tunnelling under
> the fence) they can access your house just as easily - so you should
> still use locks.
>   

Ah, that makes sense. Thanks for taking the time to explain it.

I was concerned as an "expert" had remarked on how bad it was to have
forwarded_for turned on. This came up during the course of some log
checking (on his server), when we were investigating why I could not
connect to his public web server.

He went on to say that with the extra information (forwarded_for) squid
was giving out, it would enable him to easily enter our network. This
all sounded like horse sh*t to me but I'm not a server / security
expert, so I turned forward_for off and restarted squid.

So, it's looking like the "expert" concerned doesn't know as much as he
thought he did. He does seem knowledgeable, but maybe he has some holes
in that knowledge?
David...

-- 
___________________________________________
David Duffy        Audio Visual Devices P/L
Unit 8, 10 Hook St, Capalaba 4157 Australia
Ph: +61 7 38235717      Fax: +61 7 38234717
Our Web Site: www.audiovisualdevices.com.au
___________________________________________

More information about the General mailing list