Search squid archive

Re: Are these acl / http_access correct ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 21 Jul 2009 07:16:36 -0700 (PDT), danifty <danifty@xxxxxxxxx>
wrote:
> Hi all,
> 
> I'm fairly new to squid, and i'm trying to configure it for filtering web
> access from multiple vlans, allowing such of them going to some
> destinations
> (and nowhere else), and others... going to others destinations, etc.. All
> other vlans are granted to go everywhere (I hope this is clever... I'm
> french... sorry! :-))
> 
> Here is how i think it can be done... but i doubt. Could you please tell
me
> if this is good, and if not, could you explain me what to do to have a
> correct filtering configuration.
> 
> Thanks a lot!
> 
> ################################################
> ### SOURCES ###
> # [VLAN 1]
> acl     src_vlan_1     	src	192.168.1.0/24
> 
> # [VLAN 2]
> acl     src_vlan_2	             src 	192.168.2.0/24
> 
> # [Tous VLANs]
> acl     all    		src	all

Your idea here is slightly broken.

"all" means all Internet. When defined like this, it means any source on
Internet.

Best use:
 # [Tous VLANs]
 acl Tous_VLANs src 192.168.0.0/16

(NP: that covers all vlans inside 192.168.*.0/24.  Add other ranges as
needed to the list)

> 
> ################################################
> 
> ### DESTINATIONS ###
> # [VLAN 1]
> acl     dst_VLAN1_SITES	dstdomain       	.google.fr .yahoo.com
> 
> # [VLAN 2]
> acl     dst_VLAN2_SITES   	dstdomain       	.voila.fr .altavista.com
> 
> # [All destinations]
> acl	ALL_INTERNET			dst			0.0.0.0/32

Broken. This only permits if the _single_ ip == "0.0.0.0" is requested.
And requires a destination Ip lookup before anything can be done.

Best use the "all" ACL defined above instead.

# [All Internet]
acl all src all

> 
> ################################################
> 
> ### AUTORISATIONS ###
> 
> # VLAN 1 
> http_access      allow          	dst_VLAN1_SITES              src_vlan_1
> http_access      deny		src_vlan_1	            ALL_INTERNET
> 

http_access allow dst_VLAN1_SITES  src_vlan_1
http_access deny src_vlan_1

> # VLAN 2 
> http_access      allow           	dst_VLAN2_SITE_CLIENT     	src_vlan_2
> http_access      deny		src_vlan_2		ALL_INTERNET

http_access allow dst_VLAN2_SITE_CLIENT  src_vlan_2
http_access deny src_vlan_2

> 
> http_access      allow		all			ALL_INTERNET

Means any source on Internet can go to any destination on Internet through
your proxy.

Definitely NOT a good idea.

Please use:
  http_access allow Tous_VLANs
  http-access deny all

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux