Re: squid acl entries

Miles Lott wrote:

> I am having problems excluding by IP address. This is
> to limit local usage only, so all users are on the same
> subnet. I enter the following:
>
> acl all src 192.168.253.193-192.168.253.224/255.255.255.0
> acl na1 src 192.168.253.2-192.168.253.192/255.255.255.0
> acl na2 src 192.168.253.225-192.168.253.254/255.255.255.0
>
> http_access deny na1
> http_access deny na2
> http_access allow all
>
> ...which somehow disables all in the range "all" and otherwise.
> If I leave out the na1 & na2 lines, the entire net is allowed
> based on src address. Do I have the syntax wrong?

I'm new to squid but I didn't saw many replies so I'll try to help.

I don't think you have to use a netmask when you want to make an access list
based on a range of ip-adresses.

Try instead:

   acl all src 192.168.253.193-192.168.253.224
   acl na1 src 192.168.253.2-192.168.253.192
   acl na2 src 192.168.253.225-192.168.253.254

I think that you want to allow only a subnet to access your proxy.
Why don't simply use:

acl all src 0.0.0.0/0.0.0.0 # here you use a network number, the whole
                            # Internet one and the corresponding netmask.
acl subnet src 192.168.253.193-192.168.253.224 # here the ip-adress range of

                            # your allowed users.

http_access allow subnet
http_access deny all

(remember access-rules are tried sequentially so the first acl which match
an access is used to determine if squid allow/deny the request -> access
granted only for the subnet)

It should explain why with your current config the entire net is disabled
too :
na1 refers to all adresses matching
192.168.253.2-192.168.253.192/255.255.255.0
and using the netmask you can guess every adress in the range 192.168.253.1
- 192.168.253.254 matches the na1 acl.
Your first line is: http_access deny na1 -> you deny access to the whole
net.
In fact in your config na1,na2 and all refer to the same net because of the
netmask's use.

I have a doubt on your subnet range:
193->224
Isn't it 192->223?
Indeed 193 = 11000001 and 224 11100000
It should be 11000000 and 11011111 in order to have all adresses
coresponding to 110?????. then you could use:
192.168.253.192 for the network adress and 255.255.255.224 for the
corresponding netmask
(224 = 11100000)

If doing so, you could use a different acl for your subnet, here using a
netmask:

acl subnet src 192.168.253.192/255.255.255.224

Hope it helps,

Lionel.
_________________________________________________

Lionel Bouton
French student @ Supelec
E-mail : Lionel.Bouton@supelec.fr
Snail-mail : 4, place Edouard Branly
              57070 Metz (France)
_________________________________________________
Received on Wed Nov 05 1997 - 11:23:14 MST