Re: [squid-users] Are these acl / http_access correct ? from Amos Jeffries on 2009-07-21 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 22 Jul 2009 17:06:50 +1200

On Tue, 21 Jul 2009 07:16:36 -0700 (PDT), danifty <danifty_at_gmail.com>
wrote:
> Hi all,
>
> I'm fairly new to squid, and i'm trying to configure it for filtering web
> access from multiple vlans, allowing such of them going to some
> destinations
> (and nowhere else), and others... going to others destinations, etc.. All
> other vlans are granted to go everywhere (I hope this is clever... I'm
> french... sorry! :-))
>
> Here is how i think it can be done... but i doubt. Could you please tell
me
> if this is good, and if not, could you explain me what to do to have a
> correct filtering configuration.
>
> Thanks a lot!
>
> ################################################
> ### SOURCES ###
> # [VLAN 1]
> acl src_vlan_1 src 192.168.1.0/24
>
> # [VLAN 2]
> acl src_vlan_2 src 192.168.2.0/24
>
> # [Tous VLANs]
> acl all src all

Your idea here is slightly broken.

"all" means all Internet. When defined like this, it means any source on
Internet.

Best use:
# [Tous VLANs]
acl Tous_VLANs src 192.168.0.0/16

(NP: that covers all vlans inside 192.168.*.0/24. Add other ranges as
needed to the list)

>
> ################################################
>
> ### DESTINATIONS ###
> # [VLAN 1]
> acl dst_VLAN1_SITES dstdomain .google.fr .yahoo.com
>
> # [VLAN 2]
> acl dst_VLAN2_SITES dstdomain .voila.fr .altavista.com
>
> # [All destinations]
> acl ALL_INTERNET dst 0.0.0.0/32

Broken. This only permits if the _single_ ip == "0.0.0.0" is requested.
And requires a destination Ip lookup before anything can be done.

Best use the "all" ACL defined above instead.

# [All Internet]
acl all src all

>
> ################################################
>
> ### AUTORISATIONS ###
>
> # VLAN 1
> http_access allow dst_VLAN1_SITES src_vlan_1
> http_access deny src_vlan_1 ALL_INTERNET
>

http_access allow dst_VLAN1_SITES src_vlan_1
http_access deny src_vlan_1

> # VLAN 2
> http_access allow dst_VLAN2_SITE_CLIENT src_vlan_2
> http_access deny src_vlan_2 ALL_INTERNET

http_access allow dst_VLAN2_SITE_CLIENT src_vlan_2
http_access deny src_vlan_2

>
> http_access allow all ALL_INTERNET

Means any source on Internet can go to any destination on Internet through
your proxy.

Definitely NOT a good idea.

Please use:
http_access allow Tous_VLANs
http-access deny all

Amos
Received on Wed Jul 22 2009 - 05:06:56 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 22 2009 - 12:00:05 MDT