Re: [squid-users] ACL named "all"

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 26 Jul 2008 17:11:20 +1200

Leonardo Rodrigues Magalhães wrote:
>
>
> Jorge Bastos escreveu:
>> Hi people,
>>
>> Since first 3.0 version i've noticed this:
>> 2008/07/25 21:56:24| WARNING: '0.0.0.0/0.0.0.0' is a subnetwork of
>> '192.168.1.0/255.255.255.0'
>> 2008/07/25 21:56:24| WARNING: because of this
>> '192.168.1.0/255.255.255.0' is
>> ignored to keep splay tree searching predictable
>> 2008/07/25 21:56:24| WARNING: You should probably remove
>> '0.0.0.0/0.0.0.0'
>> from the ACL named 'all'
>>
>> But now saw on the STABLE8 version changelog:
>> - Update Release Notes: 'all' ACL is built-in since 3.0.STABLE1
>>
>> So, how should I remote this warning?
>>
>>
>
> in squid 3.0 the 'all' acl is built-in. So if you try to define it in
> your squid.conf, than you'll be redefining an already defined ACL.
>
> How to remove the warning ?? simply remove the 'acl all src
> 0.0.0.0/0.0.0.0' line from your squid.conf !!! Defining this ACL is no
> longer necessary in squid 3.0 STABLE1 and newers.
>

Adding to that ... It looks like whomever configured your squid used
'all' (whole internet) when they really mean local-network. This has
serious security implications, which is part of why its now built-in.

In addition to removing the all ACL definition from your squid.conf. You
in particular need to audit your config access lines to make sure they
still perform according to your policies.

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE8
Received on Sat Jul 26 2008 - 05:11:17 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 26 2008 - 12:00:04 MDT