On Wed, 9 Jul 1997, Kip DeGraaf wrote:
> Suppose I have a host who is using ICP access to me that I don't want. At
> the moment I don't want to go into a deny all mode because we are slowly
> building a little hierarchy and I don't want to have to change the acl's
> every time someone wants to test things out, but I do want to restrict this
> one host from accessing us. Below you will find our acl definitions.
> However the host still can do ICP. What did I do wrong?
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl all src 0.0.0.0/0.0.0.0
> acl impolite src aaa.bbb.ccc.ddd/255.255.255.255 (ip hidden to protect the
> guilty)
> acl SSL_ports port 443 563
> acl CONNECT method CONNECT
> http_access deny manager !localhost
> http_access deny CONNECT !SSL_ports
> http_access allow all
> icp_access allow all
> icp_access deny impolite
try putting this above the allow all, just a guess, based on firewalling
principles
> miss_access allow all
>
_________________________________________________________
Malcolm Garbutt
Network Operations-
MILDURA.NET MURRAY.NET
Office Ph. 03 50 212 991 Office Fax 03 50 212 932
Emergency Ph. 018 596 150
.....Bringing the World to You......
_________________________________________________________
Received on Wed Jul 09 1997 - 16:57:01 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:42 MST