On Tue, 16 Jun 2009 16:14:27 +0200, Alberto Cappadonia <alberto.cappadonia@xxxxxxxxx> wrote: > Dear squid users, > > we are developing a Java-based tool to analyse content filtering rules > (acl, http_access,...) for squid. > > The objective is to provide administrators with a tool able to help them > in identifying potential mistakes in the squid configuration. > > More in detail, the aims are: > - identifying conflicts and anomalies in squid configuration file > - presenting anomalies to the administrators for further decisions > (e.g., mistakenly empty rules, acl intersection areas, hidden rules) > - optimising rules by removing redundant or shadowed rules > > The conflict model is the geometric/algebraic one presented in this paper: > http://security.polito.it/doc/pub_r/policy2008.pdf > > The tool fully supports basic set operations for all the acl types in > squid v3.0 (IP addresses, ports, proto and all the ones based on regular > expressions, ...). > > > The workflow of the tool is briefly: > - read and parse squid.conf for content filtering rules (internal > geometric rule representation) > - analyse rules for potential conflicts and anomalies > - interact with the administrators > - export the optimised and anomaly-free squid.conf > > > We finished the conflict detector and resolver engine, the parser and we > are improving the GUI for reporting the anomalies to administrators. We > guess we will have the beta version in a couple of week. > > > We will be glad if you can give your opinion about the tool (especially > about improvement and integrations) in order to make it as effective as > possible. For this, if there is some developer/administrator that is > interested in using/testing it (or at least providing us with a few real > configuration files) it will be very useful. > > Regards, > Cataldo Basile > Alberto Cappadonia Wonderful. This will make a perfect companion to the online config validator I wrote for 3.0 (and must get to upgrading again soon for 3.1). Is the tool able to be published for general public use anywhere? if so I can probably reference interested people to it. Does it handle all the options that use "ACLlist". Amos
