tony.carter_at_industry.nsw.gov.au wrote:
> squid 2.7 STABLE4
>
> We have a situation where we want to, on a single proxy server, keep a
> student subnet limited to internet access only while the remainder of the
> organisation can access both internal networks and the internet. Currently
> we have acls and http_access rules set up for internal users only
>
> Is it possible to specify both a src and dst acl in one http_access rule,
> ie, in one rule can I specify both src and dst limitations for the student
> subnet
>
> eg,
> acl limitedsrc src [IP Range...]
> acl limiteddst dst [IP Range...]
> http_access allow limitedsrc limiteddst
>
> I tried it out and it doesn't seem to work but I'd like to get some
> feedback on how I can best configure this. I checked the ACL FAQ on
> squid.org but nothing jumped out.
Two problems jump out:
Firstly, you say students are allowed general internet access. Then
your rule only permits them to a small subset. Did you mean to actually
configure all the non-you public Internet IP ranges in that ACL?
What I'd expect to see for that policy as stated is a "localnet" ACL
defining what the local ranges are. This way you permit access to
!localnet (not-local being the rest of the Internet).
You also forgot the http_access rule that penalizes them for bad access.
As I understand those policies your config needs to be ordered like this:
## Policy: "student subnet limited to internet access only"
acl limitedsrc src [IP Range...]
acl limiteddst dst [IP ranges...]
http_access allow limitedsrc !limiteddst
http_access deny limitedsrc
## Policy: "rest of the orgnization is not limited"
http_access allow localnet
## followed by the blanket safety net
http_access deny all
PS: these of course all go underneath the "deny !Safe_ports" and "deny
CONNECT !SSL_ports" safety rules.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5Received on Fri Jul 30 2010 - 08:06:43 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 30 2010 - 12:00:04 MDT