Hi Gang,
The IRC channel appears a bit quiet, so here I go with my dilemma here:
I want to be able to match against source MAC within Squid, to be able
to enforce potentially different ACLs for different machines/users
without relying on any sort of interactive authentication.
(Or perhaps I could use iptables to redirect to different ports (all of
which would have listening squids) based on MAC, but that doesn't seem
like it would scale well.)
At any rate, I wrote a very short perl script that can be given an IP
address and a MAC address and use the arp command along with grep and
awk to retrieve the last known MAC address from the kernel's arp table
for the given IP and compare it to the address provided, and output "OK"
or "ERR" for squid.
Thing is, when I enable the thing, it seems like squid never actually
calls the external program, and just starts acting like it always
answers with "OK" (I've even edited the perl script to unconditionally
respond with "ERR", and squid still acts like it's answering "OK").
Below is the important part of the perl script and my squid.conf:
from /squid_mac_acl.pl:
#!/usr/bin/perl
[...]
# squid.conf docs around external_acl_type imply responses should be
# returned via stdout
print "ERR error=MACMismatch\n";
from /etc/squid/sqiud.conf:
external_acl_type macmatch %SRC /squid_mac_acl.pl
acl brian external macmatch 88:88:88:88:88:88
http_access allow brian
When the above is part of my squid.conf, the "http_access allow brian"
basically opens carte blanche access to all hosts (very bad, of course),
instead of only opening access to MAC address 88:88:88:88:88:88 (which
of course doesn't actually exist on my network, and ought to result in
denial).
/squid_mac_acl.pl has mode 0755, root:root ownership. I've tried
putting some code to write to a log file in the script, and nothing gets
written to the log file when squid ought to be calling the program.
As always, all tips and hints and sources of further reading are greatly
appreciated.
--
----------------
Brian A. Henning
strutmasters.com
336.597.2397x238
----------------
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
