Re: [squid-users] Squid-2.4-STABLE7 http_access breaks when Netfilter REDIRECT turned on/off/on

From: per jarevez <perj8@dont-contact.us>
Date: Tue, 17 Jun 2003 00:48:24 +0000

> > #
> > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> > #
> > http_access allow myAllow all <---- becomes "http_access allow
> > all" after Netfilter REDIRECT is switched back on.
> > http_access deny myDeny all
> > http_access allow localhost
> > http_access allow intranet
> > # And finally deny all other access to this proxy
> > http_access deny all
>
>
>Are you really sure the above is what you want?
>
>http_access allow myAllow all
>
>gives everyone in the whole world access to any sites matching
>"myAllow".
>
>
>I think what you want is
>
> http_access allow localhost
> http_access allow myAllow intranet
> http_access deny myDeny
> http_acces allow intranet
>
>
>Regarding the Netfilter issue, what do you get in access.log?
>

The problem here is that "http_access myAllow all" let's people load pages
that _match myDeny_ and _do not match_ myAllow. Repeat: URL match myDeny
but NOT match myAllow are going through for a box on intranet! This is the
problem.

1055809010.610 17 10.1.0.100 TCP_IMS_HIT/304 201 GET
http://global.msads.net
/ads/PROHO2/00292SI0005_D1.gif - NONE/- image/gif
1055809010.624 160 10.1.0.100 TCP_MISS/200 464 GET
http://h.msn.com/c.gif?RF=
http%3a%2f%2fsea1fd%2esea1%2ehotmail%2emsn%2ecom%2fcgi%2dbin%2fHoTMaiL%3fcurmbox
%3dF000000005%26a%3d7XXXXXXXXXXXXXXX3f9ce%26DoEmpty%3d1&PI=44364&DI=7
474&PS=8315 - DIRECT/207.68.177.123 image/gif
1055809010.772 147 10.1.0.100 TCP_REFRESH_HIT/304 191 GET
http://global.msads
.net/ads/HOTBOS/0010395240007_LG.gif - DIRECT/63.236.2.126 -

The above matches myDeny only (and not myAllow) and it's going through!!
http_access should have DENY this!

I have to restart Squid for "http_access allow myAllow all" to work properly
again - ie. deny pages that match myDeny and not match myAllow.

After I restart squid it works properly and I get this...
1054901999.504 44 10.1.0.100 TCP_DENIED/403 1052 GET
http://ad.doubleclick.n
et/ad/N2434.msn/B1178769;sz=1x1 - NONE/- -
1054901999.666 51 10.1.0.100 TCP_DENIED/403 1058 GET
http://global.msads.net
/ads/abuimg/chrysler_msn_otp_4.swf - NONE/- -
1054902000.359 204 10.1.0.100 TCP_REFRESH_HIT/304 319 GET
http://sc.msn.com/c
/portal/misc/tp.gif - DIRECT/207.68.172.236 -

because it matches myDeny only (doesn't match myAllow).

But after I switch off Netfilter REDIRECT for a few hours, then switch on
Netfilter REDIRECT. The problem returns and that is Squid is allowing
everything through even those that match myDeny only.

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
Received on Mon Jun 16 2003 - 18:48:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:23 MST