Squid.conf seems not to change much over recent versions, so these remarks probably apply to the .conf you are using. For the tag http_access, my .conf says:- "NOTE on default values: If there are no 'access' lines present, the default is to deny the request." This implies DENY BY DEFAULT which is a common convention in this context. However all following text contradicts that. e.g.:- "If none of the access lines causes a 'match', the default is the opposite of the last line in the list. If the last line was deny, then the default is allow. Conversly, if the last line is allow, the default will be deny. For these reasons, it is a good idea to have an 'deny all' or 'allow all' entry at the end of your access lists to avoid POTENTIAL CONFUSION." Whilst this looks like English, it is not. "And finally deny all other access to this proxy. http_access deny all" If we deny by default, then we do not need this rule, because anything not specifically allowed is automatically denied. So is there a default behavior when no rule is matched? Can you share it with us? If you tell me it depends on the build, I will believe you. Thanks. John Sutherland Phone & Fax +61 2 4683 1511 9 Meryla Street, Couridjah NSW 2571 Australia