Re: [squid-users] Are these acl / http_access correct ?

Tue, 21 Jul 2009 22:07:07 -0700 

On Tue, 21 Jul 2009 07:16:36 -0700 (PDT), danifty <[email protected]>
wrote:
> Hi all,
> 
> I'm fairly new to squid, and i'm trying to configure it for filtering web
> access from multiple vlans, allowing such of them going to some
> destinations
> (and nowhere else), and others... going to others destinations, etc.. All
> other vlans are granted to go everywhere (I hope this is clever... I'm
> french... sorry! :-))
> 
> Here is how i think it can be done... but i doubt. Could you please tell
me
> if this is good, and if not, could you explain me what to do to have a
> correct filtering configuration.
> 
> Thanks a lot!
> 
> ################################################
> ### SOURCES ###
> # [VLAN 1]
> acl     src_vlan_1            src     192.168.1.0/24
> 
> # [VLAN 2]
> acl     src_vlan_2                 src        192.168.2.0/24
> 
> # [Tous VLANs]
> acl     all                   src     all

Your idea here is slightly broken.

"all" means all Internet. When defined like this, it means any source on
Internet.

Best use:
 # [Tous VLANs]
 acl Tous_VLANs src 192.168.0.0/16

(NP: that covers all vlans inside 192.168.*.0/24.  Add other ranges as
needed to the list)

> 
> ################################################
> 
> ### DESTINATIONS ###
> # [VLAN 1]
> acl     dst_VLAN1_SITES       dstdomain               .google.fr .yahoo.com
> 
> # [VLAN 2]
> acl     dst_VLAN2_SITES       dstdomain               .voila.fr .altavista.com
> 
> # [All destinations]
> acl   ALL_INTERNET                    dst                     0.0.0.0/32

Broken. This only permits if the _single_ ip == "0.0.0.0" is requested.
And requires a destination Ip lookup before anything can be done.

Best use the "all" ACL defined above instead.

# [All Internet]
acl all src all

> 
> ################################################
> 
> ### AUTORISATIONS ###
> 
> # VLAN 1 
> http_access      allow                dst_VLAN1_SITES              src_vlan_1
> http_access      deny         src_vlan_1                  ALL_INTERNET
> 

http_access allow dst_VLAN1_SITES  src_vlan_1
http_access deny src_vlan_1

> # VLAN 2 
> http_access      allow                dst_VLAN2_SITE_CLIENT           
> src_vlan_2
> http_access      deny         src_vlan_2              ALL_INTERNET

http_access allow dst_VLAN2_SITE_CLIENT  src_vlan_2
http_access deny src_vlan_2

> 
> http_access      allow                all                     ALL_INTERNET

Means any source on Internet can go to any destination on Internet through
your proxy.

Definitely NOT a good idea.

Please use:
  http_access allow Tous_VLANs
  http-access deny all

Amos

Reply via email to