Talk about squid in README
This commit is contained in:
parent
ebe5a5ae7f
commit
0f417ec561
@ -78,7 +78,7 @@ disable forking. Seccomp is used to limit available system calls to only those
|
|||||||
actually needed. Installing the cjdns-selinux package installs a targeted
|
actually needed. Installing the cjdns-selinux package installs a targeted
|
||||||
selinux policy that also restricts what the privileged process can access.
|
selinux policy that also restricts what the privileged process can access.
|
||||||
|
|
||||||
##Routing security
|
### Routing security
|
||||||
|
|
||||||
If cjdns is not running, cjdns packets will get routed in plaintext
|
If cjdns is not running, cjdns packets will get routed in plaintext
|
||||||
to your default gateway by default. An attacker could then play
|
to your default gateway by default. An attacker could then play
|
||||||
@ -86,7 +86,24 @@ man-in-the-middle. If your default gateway is running cjdns, this
|
|||||||
could even happen accidentally.
|
could even happen accidentally.
|
||||||
|
|
||||||
This can be blocked by restricting ```fc00::/8``` to the interface
|
This can be blocked by restricting ```fc00::/8``` to the interface
|
||||||
used by cjdroute in the firewall.
|
used by cjdroute in the firewall. An even simpler solution is
|
||||||
|
to not have a "default" route. Instead route ```2000::/3``` to your
|
||||||
|
gateway. All globally routable ips begin with ```001``` as the first
|
||||||
|
three bits.
|
||||||
|
|
||||||
|
### Application security
|
||||||
|
|
||||||
|
The squid cache package default config allows ```fc00::/7``` unrestricted
|
||||||
|
access to the proxy. If the proxy port is not otherwise firewalled,
|
||||||
|
you probably want to change this to ```fd00::/8``` when using cjdns
|
||||||
|
on the proxy server. Apart from that default config, squid works very
|
||||||
|
well with cjdns - you can allow specific cjdns ips unrestricted access:
|
||||||
|
|
||||||
|
```
|
||||||
|
acl adultpcs src fc25:dede:dede:dede:dede:dede:dede:dede
|
||||||
|
acl adultpcs src fc37:daaa:daaa:daaa:daaa:daaa:daaa:daaa
|
||||||
|
http_access allow adultpcs
|
||||||
|
```
|
||||||
|
|
||||||
## Advanced config
|
## Advanced config
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user