On 09/28/2017 06:10 PM, anwesh tiwari wrote: > Ipv6 acl is not working as expected, if the ipv6 address of domain is > unrouteable and it fallbacks to ipv4 even when its denied. > > Details : What I am trying to achieve : I want to disable all IPv4 > domain access from proxy and disable all ipv4 connections. You appear to be correct. The ACL behaviour is checked before connections are attempted. So, trying to connect to IPv4 only sites fails, as expected. But if you have a dualstack site, like whatismyipv6.com, then it passes the ACL but fails on the IPv6 connection. Then it falls back to Ipv4 and succeeds. This seems to be the not very intuitive part of the ACL mechanism. ACL guards access to squid-cache, not to the site themselves. So as long as the ACL succeeds *before* connection is ever attempted (and sometimes it may not even be attempted, because things are cached after all), then it passes. If you want to disable access to outside world on IPv4, you can disable it outside of squid. Like via iptables or dropping IPv4 from your network interface. - Adam _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
