Re: [squid-users] Hole in my thinking

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 08 Jun 2007 10:15:38 -0800

Bobby wrote:
> On Thursday 07 June 2007 20:01:02 Chris Robertson wrote:
>
>> Bobby wrote:
>>
>>> Hi List,
>>>
>>>
SNIP

>>> # Each src file has a list of internal IP's, and each dst file
>>> #has a list of domains they can visit.
>>> acl operators-src src "/etc/squid/T_operators"
>>> acl operators-dst dst "/etc/squid/T_operators-http"
>>>
>> Hard to diagnose a problem without knowing what the contents of these
>> files are...
>>
>
> Either RFC 1918 network addresses (172.16.10.nn) in -src files, or routable
> IP's of websites in -dst files.
>

Had I read more closely, I would have noticed "list of domains"
regarding the dst ACL. That would cause problems. See below.

>
>>> acl managers-src src "/etc/squid/T_managers"
>>> acl managers-dst dst "/etc/squid/T_managers-http"
>>> acl servers-src src "/etc/squid/T_servers"
>>> acl servers-dst dst "/etc/squid/T_servers-http"
>>> acl finance-src src "/etc/squid/T_finance"
>>> acl finance-dst dst "/etc/squid/T_finance-http"
>>> acl admins-src src "/etc/squid/T_admins"
>>> acl admins-dst dst all
>>>

SNIP

>>> acl clients src 0.0.0.0/0.0.0.0
>>> acl client-http dst 172.16.10.3
>>>
>>> http_access allow managers-src managers-dst
>>> http_access allow operators-src operators-dst
>>> http_access allow admins-src admins-dst
>>> http_access allow servers-src servers-dst
>>> http_access allow finance-src finance-dst
>>> http_access allow clients client-http
>>>
>>> http_access deny all
>>> http_reply_access deny all

SNIP

> In the end do you see any reason why operators can get out but not servers?
>
> T_admins =
> 172.16.10.15
> 172.16.10.21
> 172.16.10.25
>
> T_admins-http =
> 0.0.0.0
>
> T_finance =
> 172.16.10.146
> 172.16.10.76
>
> T_finance-http =
> adobe.com
> amsouth.com
> anywho.com
> arin.net
>
>

I don't see how anyone (other than the admins) is getting out (anywhere
but 172.16.10.3). :o) The dst ACL is expecting an IP address. To use
domains, you should be using dstdomain (and if you want to be
permissive, you should lead each of those domains with a period,*).

Chris

* Prepending a period to the domain of a dstdomain ACL will match the
domain and any sub domain. For example, acl dstdomain yahoo.com would
not match www.yahoo.com, but acl dstdomain .yahoo.com would.
Received on Fri Jun 08 2007 - 12:15:52 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT