[squid-users] Unable to block CONNECT

From: Klas Axelsson <Klas.Axelsson@dont-contact.us>
Date: Mon, 16 Jul 2001 12:21:28 +0100

Some ACL problems, I haven't been able to figure out this from the
documentation.

I'm getting entries like this one in my access log

995278856.271 18466 XX.XX.XX.XX TCP_MISS/000 382 CONNECT
hebron.dal.net:6664 - DIRECT/hebron.dal.net -

The IP is not in the "localfakenet", nor in "localbackupnet" and from
turning on debuing
it seems like it's matched against "all"

Shouldn't "deny CONNECT !SSL_ports" stop CONNECT on all ports except 443,
563
And shouldn't access for everyone be denied for all methods with the given
rules?
GET is blocked for everyone outside localfakenet and localbackupnet, but
CONNECT
is open.

Here's a part of squid.conf:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localfakenet src 10.0.0.0/16
acl localbackupnet src XX.XX.XX.XX/29
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

from squid.conf
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localfakenet
http_access allow localbackupnet
http_access deny all

icp_access allow localfakenet
icp_access allow localbackupnet
icp_access deny all

miss_access deny CONNECT !SSL_ports
miss_access allow localfakenet
miss_access allow localbackupnet
miss_access deny all

Thanks
Klas Axelsson
Senior Developer

exaxe
20 Fitzwilliam Square http://www.exaxe.com/
Dublin 2 Telephone: +353-1-661 8630
Ireland Fax: +353-1-661 8650

----------------------------------------------------------------

The opinions, conclusions and other information expressed in the above
message, or contained within attachments to the above message, are not given
or endorsed by exaxe Ltd unless otherwise indicated by an authorised
representative independent of this message
Received on Mon Jul 16 2001 - 05:22:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:08 MST