On Thu, 8 Oct 2009 12:32:51 -0400 (CDT), "Hermidio A. Rodriguez Chavez" <hermidio.rodriguez@xxxxxxxxxxxxxxxx> wrote: > Hi all > > i like to give access accross my proxy based in srcdomain and src acl, i > think srcdomain check first the reverse PTR record and src the ip, then if > the user pass then go internet, here's my conf and denied access to the > user: > > acl src_home srcdomain pruebacorreo.domain.local > acl src_ip src 10.1.0.24 > > http_access allow src_ip src_home > > the client computer is pruebacorreo.domain.local with ip 10.1.0.24 > > Thanks in advance > > Hermidio Yes, srcdomain is based on the rDNS PTR record. Which is directly based on the src IP. The srcdomain + src test you have is completely redundant. Squid will check that the IP is 10.1.0.24 and then that the srcdomain PTR record for 10.1.0.24 equals pruebacorreo.domain.local. This is an excellent way of blocking all your users access when the DNS admin has made a typo or changed the PTR record for the 10.1.0.24 machine. The only noticeable benefit over using src by itself is that it can be used along with automatic DDNS to see if the host assigned 10.1.0.24 has renewed it's IP lease recently provided the user of that machine has not changed the OS or hostname. Also Note: "domain.local" is a private domain registered for Microsoft internal NetBIOS usage (now deprecated for obsoletion) and must not be registered in any public DNS. Client software seeking such domains the public DNS are participating in an ongoing DDoS against the DNS root servers. Please use a valid public domain name, they are very cheap and sometimes free. Amos