On 02/11/10 20:18, Edmonds Namasenda wrote:
Hello Amos, I emailed the content below to the users mailing list but
kept getting bounced messages about "MIME Content" so I chose to email
you privately for help. Hope it is okay.
Reply sent on-list.
Set your emailer not to include a web page along with the email text and
the list will stop rejecting your mail.
##########
Hello All.
I request for help using openSuSe 11.2, Squid 3.0 and Shorewall 2.2.2
(Old version but working fine for me so far).
There are three networks (subnets) planned
Local LAN: 10.100.#.0/24 <http://10.100.10.0/24> aka lLAN
Local WAN: 192.168.#.0/24 <http://192.168.7.0/24> aka lWAN
VPN APN: 10.208.#.0/24 <http://10.208.6.0/24> aka vAPN
VPN Router: 41.2##.###.### (External Interface), 192.168.#.# (Internal
Interface)
Currently, we use the router to connect lWAN for I.P application servers
to vAPN users and internet access to both lWAN & vAPN.
I saw a need for another network, lLAN, to segment the local users from
vAPN users although both users must access certain services on lWAN.
Please correct me but I believe this is achievable and I want to use
Squid as a transparent proxy to control downloads and limit access to
some websites to certain times.
My squid.conf ACLs.
acl net_ed src 10.100.#.0/24 192.168.#.0/24 10.208.#.0/24 # The three
networks
acl whrs1 time MTWHF 9:00-12:59 # Morning time to limit some
websites & control downloads
acl whrs2 time MTWHF 13:00-16:59 # Afternoon time to limit some
websites & control downloads
acl nowww dstdomain "/etc/squid/noWWW" # Path to file of limited websites
acl nodwnld urlpath_regex "/etc/squid/noDWNLD" # Path to file of
controlled downloads
My squid.conf http_access
http_access deny nowww whrs1 whrs2
http_access deny nodwnld whrs1 whrs2
http_access allow net_ed
Content in /etc/squid/noWWW
.friendstar.com
.metacafe.com
.myspace.com
.videos.google.com
.youtube.com
.facebook.com
.twitter.com
.yousex.com
Content in /etc/squid/noDWNLD
\.exe$
\.zip$
\.gz$
\.bz2$
\.mp3$
\.avi$
\.mp4$
\.mpg$
\.mpeg$
\.rar$
\.ram$
\.rpm$
\.wav$
\.cda$
\.wma$
\.wmv$
\.flv$
\.fla$
I would like to add an ACL to allow specific 192.168.#.0/24 addresses to
the internet directly before putting a redirect rule in shorewall to
force all other addresses to use the proxy.
You seem to be asking how to bypass the proxy from inside. That is not
possible. The firewall needs to do bypass before anything gets near the
proxy.
If you meant that some IPs need to get web access without the download
and site restrictions. That is just an ACL listing the IPs and allowing
them access first before applying the extra restrictions for others.
My redirect rules in shorewall are
1. ACCEPT $FW net tcp www
2. REDIRECT loc 3128 tcp www - !192.168.#.#
What I do not want is for users to be able to access the internet when
they change IPs back to lWAN.
And I would like to add an ACL for some lLAN addresses to access the
internet without any restrictions.
Please note that all those networks are sharing switches and / or router.
I could separate the networks accordingly with a switch but how do I
achieve access to all networks as necessary.
I have not used shorewall in over 5 years now. I find it's layered
abstraction maps more confusing than the iptables commands. Sorry, I
cant help with the specifics here.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.2
