Re: Need to know more about ACLs

Ah, makes much more sense.

Thanks alot!

At 12:50 AM 10/24/99 +0200, Henrik Nordstrom wrote:
>Ken Wolff wrote:
>
> > If I had 2 IPs that could get anywhere, then would I have 2 "Power" lines
> > as in...
> > acl Power src 172.20.1.1/0.0.0.0
> > acl Power src 172.20.1.2/0.0.0.0
>
>Not quite.
>
>The syntax is
>ip/netmask
>
>so both of the above matches any source address (zero netmask).
>
>Single IP addresses can be expressed without the netmask part, as in
>acl Power src 172.20.1.1 172.20.1.2
>
>The whole network can be expressed as
>acl SomeNetwork src 172.20.1.0/255.255.255.0
>
> > If I had 3 IPs that get to some places...
> > acl People src 172.20.1.3/56.0.78.11
> > acl People src 172.20.1.3/206.132.41.203
>
>
>Again no.
>
>src* type ACLs matches the client IP address.
>
>dst* type ACLs matches the destination. Most time when matching
>desinations you use the dstdomain ACL for matching the host name part of
>the URL.
>
>
>
>The logic of http_access is like
>
>AND AND AND
>or
>AND AND AND
>
>
>A little bit bigger example with explanations:
>
># "all" matches everything/everyone
>acl all src 0.0.0.0/0
>
># PowerUsers matches IP addresses of power users
>acl PowerUsers src 172.20.1.1 172.20.1.2
>
># RestritedUsers matches IP addresses of users with
># limited access
>acl RestrictedUsers src 172.20.1.3-172.20.1.5
>
># RestrictedSites matches IP addresses to sites where
># RestrictedUsers shuld have access.
>acl RestrictedSites dst 56.0.78.11 206.132.41.203
>
># Allow PowerUsers full access
>http_access allow PowerUsers
>
># Allow RestrictedUsers access to only RestrictedSites
>http_access allow RestrictedUsers RestrictedSites
>
># Deny access to everything not allowed above.
>http_access deny all
>
>--
>Henrik Nordstrom
>Squid hacker

--------------------------------------------------------------
Ken Wolff
Phone: 616-957-4949 Ext: 111
FAX: 616-957-1614
--------------------------------------------------------------
Received on Sun Oct 24 1999 - 05:30:36 MDT