Well, you're only matching "not-my-network". You should have more http_access commands, even by default. Show the rest of them. I think this would be more appropriate:
http_access allow internal http_access deny all That would first let the right people surf, and then deny everything else. -- TONI HEINONEN TELEWARE OY +358 40 836 1815 / +358 (9) 3434 9110 Itäkeskuksen Maamerkki 00930 Helsinki, Finland [EMAIL PROTECTED] / www.teleware.fi > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 23, 2004 10:18 PM > To: [EMAIL PROTECTED] > Subject: squid and it's config, a question > > > I am looking to set up squid proxy for my lan, and think I have a > correct config to make sure the proxy is not open. I am > asking the list > as opposed to the squid lists, as I prefer to ask the FBSD list first > when it is somewhat FBSD related. I will be running this on a FBSD 4.9 > box. This box has two NICs in it, one connected to the router > and one to > the lan. > > After looking through the docs, I think I am correct in listing the > internal network 10.1.1.x 255.0.0.0 as such: > > acl internal src 10.1.1.0/24 > http_access deny !internal > > I placed the above at the start of the file to jump right in > and get this > set. And further into the squid.conf file the following: > > #Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 10.1.1.5/255.0.0.0 > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > Here the squid server will be IP 10.1.1.5 255.0.0.0. I have no > references to localhost as 127.0.0.1r, and no references to > the external > IP in this file anywhere. I am assuming, perhaps incorrectly which is > often the case for me :-), that this should be sufficient and > safe from > being open to the world. > > Thank you very much for your time and patience with this. And > yes I did > RTFM, but I want to be sure as sometimes the FM is beyond me. > -- > Bob > > "Play is the work of children. It's very serious stuff. And if it's > properly structured in a developmental program, children can blossom." > -Bob Keeshan aka `Captain Kangaroo' > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"