hi,
we want to block access to urls containing private ips like
local-lan -> "internet-squid" -> firewall -> squid-dmz
we want or have to block access on "internet-squid". this squid will
then forward all the queries to proxy "squid-dmz", which is connected to
the internet. only squid-dmz can or should do dns-lookups.
our acl rools on "internet-squid":
file dst_privateip
# class A, 10.0.0.0/8
# class B, 172.16.0.0/12
# class C, 192.168.0.0/16
10.0.0.0/255.0.0.0
172.16.0.0/255.240.0.0
192.168.0.0/255.255.0.0
squid.conf
acl dst_privateip dst "dst_privateip"
http_access deny all dst_privateip
problem is, that "internet-squid" will do dns-lookups with "dst". our
internal dns-server don't know any addresses from the internet. so there
are way to many queries.
how can we prevent access those urls? which is the best way to write the
acl? url_regex? is there any chance to have a dst acl without
dnslookups?
markus
Received on Fri Apr 20 2007 - 02:44:25 MDT
This archive was generated by hypermail pre-2.1.9 : Tue May 01 2007 - 12:00:01 MDT