Re: Hole in my thinking

[Chris Robertson <crobertson@xxxxxxx>]

Bobby wrote:
> On Thursday 07 June 2007 20:01:02 Chris Robertson wrote:
>   
> > Bobby wrote:
> >     
> > > Hi List,
> > >
> > >       
SNIP

> > > # Each src file has a list of internal IP's, and each dst file
> > > #has a list of domains they can visit.
> > > acl operators-src src "/etc/squid/T_operators"
> > > acl operators-dst dst "/etc/squid/T_operators-http"
> > >       
> > Hard to diagnose a problem without knowing what the contents of these
> > files are...
> >     
>
> Either RFC 1918 network addresses (172.16.10.nn) in -src files, or routable 
> IP's of websites in -dst files.
>   

Had I read more closely, I would have noticed "list of  domains" 
regarding the dst ACL.  That would cause problems.  See below.

>   
> > > acl managers-src src "/etc/squid/T_managers"
> > > acl managers-dst dst "/etc/squid/T_managers-http"
> > > acl servers-src src "/etc/squid/T_servers"
> > > acl servers-dst dst "/etc/squid/T_servers-http"
> > > acl finance-src src "/etc/squid/T_finance"
> > > acl finance-dst dst "/etc/squid/T_finance-http"
> > > acl admins-src src "/etc/squid/T_admins"
> > > acl admins-dst dst all
> > >       

SNIP

> > > acl clients src 0.0.0.0/0.0.0.0
> > > acl client-http dst 172.16.10.3
> > >
> > > http_access allow managers-src managers-dst
> > > http_access allow operators-src operators-dst
> > > http_access allow admins-src admins-dst
> > > http_access allow servers-src servers-dst
> > > http_access allow finance-src finance-dst
> > > http_access allow clients client-http
> > >
> > > http_access deny all
> > > http_reply_access deny all


SNIP

> In the end do you see any reason why operators can get out but not servers?
>
> T_admins =
> 172.16.10.15
> 172.16.10.21
> 172.16.10.25
>
> T_admins-http =
> 0.0.0.0
>
> T_finance =
> 172.16.10.146
> 172.16.10.76
>
> T_finance-http =
> adobe.com
> amsouth.com
> anywho.com
> arin.net
>
>   

I don't see how anyone (other than the admins) is getting out (anywhere 
but 172.16.10.3).  :o)  The dst ACL is expecting an IP address.  To use 
domains, you should be using dstdomain (and if you want to be 
permissive, you should lead each of those domains with a period,*).

Chris

* Prepending a period to the domain of a dstdomain ACL will match the 
domain and any sub domain.   For example, acl dstdomain yahoo.com would 
not match www.yahoo.com, but acl dstdomain .yahoo.com would.