squid access-list

[khaledeshah]

Hi
I have a cache behind PIX & I want to make access-list for outbound traffic, so which ports I must open to let outbound traffic.

 

[gbiello]

...Not sure I follow. All outbound traffic is allowed by default. Do you have an access-list blocking some traffic? Probably the best way to start determining this is with a syslog server, watching what traffic gets dropped.

-gbiello

 

[khaledeshah]

Hi
Yes, I want to block all outbound traffic except the ones needed by Squid
thks

 

[iiiiss]

You just need to permit th etraffic you want you don´t have to deny traffic because the pix denies all traffic by default!

 

[yizhar]

HI.

I suggest this:

Start by allowing only the minimum traffic that you need, which is outbound smtp traffic from mail server, outbound http,https and ftp from proxy, and outbound DNS from internal DNS server. something like this:

access-list frominisde permit tcp host DNSSERVER any eq 53
access-list frominisde permit udp host DNSSERVER any eq 53
access-list frominside permit tcp host MAIL any eq smtp
access-list frominisde permit tcp host PROXY any eq http
access-list frominisde permit tcp host PROXY any eq https
access-list frominisde permit tcp host PROXY any eq ftp
access-list frominside permit icmp any any
access-group frominisde in interface inside
logging on
logging ....

Now use syslog messages (as gbiello suggested), your own knowledge of the network and common sense to troubleshoot and modify this list as needed.
PDM can help you manage it instead of CLI.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar