Muhammad Sharfuddin wrote:
Squid Cache: Version 2.7.STABLE5
'allowed_websites.txt' is a text file, contains some websites that every
one can access.
'ipes.txt' is a text file, contains my LAN IPes.
'skype_servers_ip.txt' is a text file, contains almost 65 IPes of skype
servers. I found the skype IPes from squid log, and as per squid log,
skype connect to these server via 'CONNECT skype_server_ip:443'
I just want to allow 'allowed_websites' and skype to my lan
acl allowed_websites url_regex -i "/etc/squid/allowed_websites.txt"
http_access allow allowed_websites
acl skype_servers_ip dst "/etc/squid/skype_servers_ip.txt"
http_access allow skype_servers_ip
acl mynet src "/etc/squid/ipes.txt"
http_access deny mynet
skype is not working on client side.. and the reason is clear, as per
squid logs, every time skype connects to a different/another
server(which is obviously not listed in 'skype_servers_ip.txt'), and
then I have to add those servers into 'skype_servers_ip.txt', so its a
never-ending excercise.
In short, skype connects to its servers via IPes, and not via
domains(e.g MSN-Messenger connects to .live.messenger.com
or .live.hotmail.com', so by allowing these domains, MSN-Messenger can
work)
please advise/suggest, how can I acheive my target.
You cannot. As you noticed its a fast moving target.
Every new Skype customer and every Skype customer on Dialup means more
IPs you need to add to your whitelist.
The only way to get there is to whitelist the source of the connection
(your safe clients) skype access, but allow them to connect outward to
anyone. (CONNECT + dstdom_regex with an IP matching pattern).
You might get around the inbound problem by writing a script to watch
what IPs they connect out to frequently and allow those inbound. But
that is not really safe either since Skype connections are a P2P
protocol. Hopping from one PC to the next until a link is made to the
real destination and it settles down.
Amos
Regards
--ms
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
Current Beta Squid 3.1.0.13
