Re: [squid-users] Are these acl / http_access correct ?

Amos,

Months later (sorry...) - many thanks for your explanations. I used it when
needed to correct incoherent parameters, and Squid is now fully functionnal
on my network.

Thanks again.

DaNifty

Amos Jeffries-2 wrote:
>
> On Tue, 21 Jul 2009 07:16:36 -0700 (PDT), danifty <danifty_at_gmail.com>
> wrote:
>> Hi all,
>>
>> I'm fairly new to squid, and i'm trying to configure it for filtering web
>> access from multiple vlans, allowing such of them going to some
>> destinations
>> (and nowhere else), and others... going to others destinations, etc.. All
>> other vlans are granted to go everywhere (I hope this is clever... I'm
>> french... sorry! :-))
>>
>> Here is how i think it can be done... but i doubt. Could you please tell
> me
>> if this is good, and if not, could you explain me what to do to have a
>> correct filtering configuration.
>>
>> Thanks a lot!
>>
>> ################################################
>> ### SOURCES ###
>> # [VLAN 1]
>> acl src_vlan_1 src 192.168.1.0/24
>>
>> # [VLAN 2]
>> acl src_vlan_2 src 192.168.2.0/24
>>
>> # [Tous VLANs]
>> acl all src all
>
> Your idea here is slightly broken.
>
> "all" means all Internet. When defined like this, it means any source on
> Internet.
>
> Best use:
> # [Tous VLANs]
> acl Tous_VLANs src 192.168.0.0/16
>
> (NP: that covers all vlans inside 192.168.*.0/24. Add other ranges as
> needed to the list)
>
>>
>> ################################################
>>
>> ### DESTINATIONS ###
>> # [VLAN 1]
>> acl dst_VLAN1_SITES dstdomain .google.fr .yahoo.com
>>
>> # [VLAN 2]
>> acl dst_VLAN2_SITES dstdomain .voila.fr .altavista.com
>>
>> # [All destinations]
>> acl ALL_INTERNET dst 0.0.0.0/32
>
> Broken. This only permits if the _single_ ip == "0.0.0.0" is requested.
> And requires a destination Ip lookup before anything can be done.
>
> Best use the "all" ACL defined above instead.
>
> # [All Internet]
> acl all src all
>
>>
>> ################################################
>>
>> ### AUTORISATIONS ###
>>
>> # VLAN 1
>> http_access allow dst_VLAN1_SITES src_vlan_1
>> http_access deny src_vlan_1 ALL_INTERNET
>>
>
> http_access allow dst_VLAN1_SITES src_vlan_1
> http_access deny src_vlan_1
>
>> # VLAN 2
>> http_access allow dst_VLAN2_SITE_CLIENT src_vlan_2
>> http_access deny src_vlan_2 ALL_INTERNET
>
> http_access allow dst_VLAN2_SITE_CLIENT src_vlan_2
> http_access deny src_vlan_2
>
>>
>> http_access allow all ALL_INTERNET
>
> Means any source on Internet can go to any destination on Internet through
> your proxy.
>
> Definitely NOT a good idea.
>
> Please use:
> http_access allow Tous_VLANs
> http-access deny all
>
> Amos
>
>
>

-- 
View this message in context: http://www.nabble.com/Are-these-acl---http_access-correct---tp24588523p25670649.html
Sent from the Squid - Users mailing list archive at Nabble.com.