-----Original Message-----
From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
Sent: Monday, December 08, 2003 3:32 PM
To: Viorel Serbu
Subject: Re: [squid-users] restricting access by MAC
On Monday 08 December 2003 1:22 pm, Viorel Serbu wrote:
> Hi All
> I tryed to restrict internet access using acl arp in the squid.conf, but
it
> doesnt work.
> I put in the squid.conf the following lines
>
> acl lanaccess arp 00:20:E0:6F:FF:8D 00:50:FC:B4:22:68 00:06:4F:05:28:AD
> http_access allow lanaccess
>
> just before the existing - http_access deny all
>
> I restarted the squid but nothing happens. Everybody can access the
> internet (through proxy) like before, no matter its MAC.
1. What other http_access controls do you have (is there another one, maybe
earlier than those you've shown here, allowing by IP address perhaps)?
---------- all http_access are the following:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.1.0/24
http_access allow our_networks
http_access allow localhost
acl lanaccess arp 00:20:e0:6f:ff:8d 00:50:fc:b4:22:68 00:06:4f:05:28:ad
00:0a:e6:c5:c8:27
http_access allow lanaccess1
http_access deny all
-------------- exactly in that order
2. Are the clients with the MAC addresses you're trying to restrict directly
connected on the same subnet as the Squid proxy (ie not through some other
router)?
------------ yes, its a single netork 192.168.1.0/24
3. If you do a broadcast ping from the Squid proxy, what do you then see as
the output of "arp -an"? (Ping 192.168.1.255 or whatever your network
broadcast address is).
------------------- this is arp -an
? (192.168.1.35) at 00:30:4F:21:FC:86 [ether] on eth0
? (192.168.1.43) at 00:50:FC:E3:B6:81 [ether] on eth0
? (192.168.1.100) at 00:50:FC:B4:22:68 [ether] on eth0
? (192.168.1.88) at 00:0A:E6:63:49:8D [ether] on eth0
? (192.168.1.28) at 00:02:44:4B:71:92 [ether] on eth0
------------------ there are only 5 because not all the computers in the
network are started
4. What Operating System are you running Squid under?
------------ SuSE 8.2
Antony.
-- If at first you don't succeed, destroy all the evidence that you tried. Please reply to the list; please don't CC me.Received on Mon Dec 08 2003 - 09:27:32 MST
This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:07 MST