Well, you're only matching "not-my-network". You should have more http_access 
commands, even by default. Show the rest of them. I think this would be more 
appropriate:

http_access allow internal
http_access deny all

That would first let the right people surf, and then deny everything else.
-- 
TONI HEINONEN
     TELEWARE OY
     +358 40 836 1815 / +358 (9) 3434 9110
     Itškeskuksen Maamerkki
     00930 Helsinki, Finland
     [EMAIL PROTECTED] / www.teleware.fi


> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 10:18 PM
> To: [EMAIL PROTECTED]
> Subject: squid and it's config, a question
> 
> 
> I am looking to set up squid proxy for my lan, and think I have a
> correct config to make sure the proxy is not open. I am 
> asking the list
> as opposed to the squid lists, as I prefer to ask the FBSD list first
> when it is somewhat FBSD related. I will be running this on a FBSD 4.9
> box. This box has two NICs in it, one connected to the router 
> and one to
> the lan.
> 
> After looking through the docs, I think I am correct in listing the
> internal network 10.1.1.x 255.0.0.0 as such:
> 
> acl internal src 10.1.1.0/24
> http_access deny !internal
> 
> I placed the above at the start of the file to jump right in 
> and get this
> set. And further into the squid.conf file the following:
> 
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 10.1.1.5/255.0.0.0
> acl SSL_ports port 443 563
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443 563     # https, snews
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> Here the squid server will be IP 10.1.1.5 255.0.0.0. I have no
> references to localhost as 127.0.0.1r, and no references to 
> the external
> IP in this file anywhere. I am assuming, perhaps incorrectly which is
> often the case for me :-), that this should be sufficient and 
> safe from
> being open to the world.
> 
> Thank you very much for your time and patience with this. And 
> yes I did
> RTFM, but I want to be sure as sometimes the FM is beyond me.
> --
> Bob
> 
> "Play is the work of children. It's very serious stuff. And if it's
> properly structured in a developmental program, children can blossom."
> -Bob Keeshan aka `Captain Kangaroo'
> _______________________________________________
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "[EMAIL PROTECTED]"
> 
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to