> Quick question for you all. Would it be possible to use squid, in part, > as a Terms of Service portal? In other words, using an external_acl > helper, return OK if IP/MAC has accepted, or redirect if not? I would > love to use the wccpv2/gre tunnel and the fault tolerance built in to > eliminate a failure point by using a bridged or router acl solution. > I've played around with PFSense and M0n0wall and they don't really work > with our network/dhcp structure. We serve two different wireless > technologies and vlaning kills any of these options. We want only new > customers to get caught, but all customers to pass through in the event > of hardware failure. I looked at a solution FrontPorch offers and it's > pretty slick. They have both an inline and passive solution. The > inline uses a proprietary NIC that has a solenoid that trips in the > event of a hardware failure creating a hardwire connection. The passive > solution somehow uses communication with the router to redirect. They > mirror tcp traffic and I don't know what else. Anyway, I got a little > long winded there. Any thoughts? Thanks guys.. > > Tony > Theoretically yes. You will need to test and see if it works for you in practice. The problem is that the tcp_outgoing_tos selection ACL in Squid can only work from cached external_acl results. (It would require a small re-code of the outbound connection pathway to alter that). BUT, the external ACL can be used in http_access to permit access into squid at the point of receiving. So the result can be cached by that lookup. For src-IP its just peachy. For MAC the machines need to be directly on the same switch or arp-relay enable across the network, for ARP lookups to work. Amos
