On 16/05/2015 11:09 p.m., Walter H. wrote: > On 16.05.2015 10:13, Amos Jeffries wrote: >> On 16/05/2015 6:22 p.m., Walter H. wrote: >>> On 16.05.2015 01:41, Amos Jeffries wrote: >>>> On 16/05/2015 6:14 a.m., Walter H. wrote: >>>>> Hello, >>>>> >>>>> is IPv6 somewhat similar to IPv4? >>>> Somewhat, yes. >>> I just wondered because of the "different" behaviour; >>>>> e.g. >>>>> >>>>> I would write >>>>> >>>>> acl block_ipv4_range dst 84.84.84.0/24 >>>>> deny_info errorpage block_ipv4_range >>>>> http_access deny block_ipv4_range >>>>> >>>>> to block any hosts within this IPv4 range >>>> Taking a step asside, that is not quite what those rules do. They block >>>> access from anywhere *to* the IP address range (TCP/IP packet >>>> destination on the request messages). >>>> >>> yes this should be the intention, that you get an error (in this case >>> the errorpage) when >>> you have e.g. http://84.84.84.2/ or https://84.84.84.2/ as URL in your >>> browser ... >> It will block that, and any domain name which resolves to those IPs. >> > yes, that is the intention; > > I would have done it this way: > > acl block_whole_network dst_as 4837 > deny_info errorpage block_whole_network > http_access deny block_whole_network > > but this crashes squid ... Ouch. Is that the <http://bugs.squid-cache.org/show_bug.cgi?id=3579> crash? I would like to fix that, but need the backtrace. > > as workaround I've got a file listing any range for one AS number > and doing this: > > acl block_as4837 dst "block-as4837-acl.squid" > > and one of these files has more than 600(!) entries ... > >>> does it seem to be problematic, when having an TLS-server with an IPv6 >>> address only without DNS, because of the comm name? >> That is a different issue entirely. > yes and hoping no browser ever will accept a common name of just '*' >> Going by that description it seems Firefox and Chrome are a bit broken. > IE, too; IE is doing the right thing in your description. That cert-with-IP warning is the correct / working behaviour. The Firefox hang and Chrome "insecure" warning are the broken bits. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
