Re: PLZ help with access controls!

From: David J N Begley <david@dont-contact.us>
Date: Tue, 8 Apr 1997 23:19:58 +1000 (EST)

On Tue, 8 Apr 1997, Igor V. Alekseev wrote:

> Can anyone explain me the internals of how acl based access control is
> working. Here is a snippet of my squid.conf:
[...]
> This does not work as intended...

The Squid ACL motto! ;-)

A few comments:

> acl IN-CEN srcdomain uniyar.ac.ru
> acl YRN-1 src 193.233.48.0-193.233.55.0/255.255.0.0

Sure this is the mask you wanted? If so, then you can simplify this as:

  acl YRN-1 src 193.233.0.0/255.255.0.0

If you want the full range of subnets (and ONLY those subnets) then you
should use the proper mask:

  acl YRN-1 src 193.233.48.0-193.233.55.0/255.255.255.0

> http_access deny IN-CEN
> http_access allow YRN-1
> http_access deny !YRN-1 all
> miss_access deny IN-CEN
> miss_access allow YRN-1

Mixing "deny" and "allow" within a single ACL rule-type (like
"http_access") is always going to lead to confusion if your rules are
anything more than *really* basic.

* Squid has three groups of ACL rules:

    http_access
    icp_access
    miss_access

* Each line in each group can be either "deny" or "allow".

* Comparisons stop when a match is found on a line.

* The default action for each group (ie., what happens if comparisons
  fall right through matching no lines) is the *opposite* of the *last*
  line in that group (ie., if the last line is "allow", then the default
  is "deny" and vice versa).

* To make things easier to understand, therefore, it's best to adopt an
  "all allow" or "all deny" policy, at the very least within each group
  (if not across all your rules).

* In each rule line, each ACL is logically compared using "AND".

* Within each individual ACL, each item is logically compared using "OR".

Using this, and assuming an "all deny" approach (as I've done on our
Squid), you can rewrite your rules as:

  # deny IN-CEN users
  http_access deny IN-CEN
  # deny anyone not in YRN-1
  http_access deny !YRN-1
  # default is to allow (only YRN-1 but not IN-CEN users are left)

Of course, these could be written using "all allow" and even mixed:

  http_access allow YRN-1 !IN-CEN
  # here, default becomes deny

As long as you remember the basic way the rules work, you can move them
around any which way and keep things working. The above behaviour of the
Squid ACLs is what I've finally set as my own understanding, and it's not
'til doing so that I was ever able to keep the ACLs working properly.

Hope this helps..

David J. N. Begley <d.begley@nepean.uws.edu.au>
Network Analyst, Communications Unit
University of Western Sydney, Nepean
Australia
Received on Tue Apr 08 1997 - 06:45:31 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:34:57 MST