Re: [SQU] ACL PROBLEM from Henrik Nordstrom on 2000-12-26 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 26 Dec 2000 15:30:10 +0100

http_access is read top-down, stopping at the first line that fully
matches. So with the given configuration, stations matching webm will
always be denied access.

Second, netmasks are netmasks. 192.168.0.4/255.255.255.0 is the whole
192.168.0 network since the netmask masks the .4 away.. If you want a
full IP then don't use a netmask, or use a full netmaks (/32 or
/255.255.255.255) (note: Specifying a full netmask is required if the IP
ends in .0, or else Squid will assume you want the network). It can be
argued that Squid should reject masked addresses where the masked away
part is not all zero.

Third, to make the rules easier most ACL types allows a list of possible
things to match.

Fourth, if an address is not allowed, it is denied.

acl all src 0.0.0.0/0
acl sever src 192.168.0.1-192.168.0.3/32 192.168.0.5-192.168.0.18/32
acl worktime1 time MTWHF 7:00 -9:00
acl worktime2 time MTWHF 12:00-14:00
http_access allow sever worktime1
http_access allow sever worktime2
http_access deny all

or if you want to explicitly mention webm in your configuration even if
not strictly required:

acl ...
acl webm src 192.168.0.4/32
http_access deny webm
http_access ...

--
Henrik Nordstrom
Squid hacker
Sinisa Malesevic wrote:
> 
> I have this:
> __________________________________________________
> acl sever src 192.168.0.1-192.168.0.3/255.255.255.0
> acl sever2 src 192.168.0.5-192.168.0.18/255.255.255.0
> acl webm src 192.168.0.4/255.255.255.0
> acl all src 0.0.0.0/0.0.0.0
> acl worktime1 time MTWHF 7:00 -9:00
> acl worktime2 time MTWHF 12:00-14:00
> 
> http_access deny webm
> http_access allow sever worktime1
> http_access allow sever worktime2
> http_access allow sever2 worktime1
> http_access allow sever2 worktime2
> http_access deny all
> _____________________________________________
> and no one gets access
> 
>  I want to deny 192.168.0.4,  and allow sever and sever2 in worktime1
> and worktime2, as you can see in the ACL .
> 
> What is wrong???????
> 
> Sinisa!
> malesevic@sever.co.yu
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Tue Dec 26 2000 - 16:07:17 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:07 MST