Re: [squid-users] Using both src and dst ACLs in a single http_access rule

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 30 Jul 2010 20:06:37 +1200

tony.carter_at_industry.nsw.gov.au wrote:
> squid 2.7 STABLE4
>
> We have a situation where we want to, on a single proxy server, keep a
> student subnet limited to internet access only while the remainder of the
> organisation can access both internal networks and the internet. Currently
> we have acls and http_access rules set up for internal users only
>
> Is it possible to specify both a src and dst acl in one http_access rule,
> ie, in one rule can I specify both src and dst limitations for the student
> subnet
>
> eg,
> acl limitedsrc src [IP Range...]
> acl limiteddst dst [IP Range...]
> http_access allow limitedsrc limiteddst
>
> I tried it out and it doesn't seem to work but I'd like to get some
> feedback on how I can best configure this. I checked the ACL FAQ on
> squid.org but nothing jumped out.

Two problems jump out:
  Firstly, you say students are allowed general internet access. Then
your rule only permits them to a small subset. Did you mean to actually
configure all the non-you public Internet IP ranges in that ACL?
  What I'd expect to see for that policy as stated is a "localnet" ACL
defining what the local ranges are. This way you permit access to
!localnet (not-local being the rest of the Internet).

You also forgot the http_access rule that penalizes them for bad access.
As I understand those policies your config needs to be ordered like this:

   ## Policy: "student subnet limited to internet access only"
   acl limitedsrc src [IP Range...]
   acl limiteddst dst [IP ranges...]
   http_access allow limitedsrc !limiteddst
   http_access deny limitedsrc

   ## Policy: "rest of the orgnization is not limited"
   http_access allow localnet

   ## followed by the blanket safety net
   http_access deny all

PS: these of course all go underneath the "deny !Safe_ports" and "deny
CONNECT !SSL_ports" safety rules.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.5
Received on Fri Jul 30 2010 - 08:06:43 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 30 2010 - 12:00:04 MDT