Re: [squid-users] Squid rules analyser

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 17 Jun 2009 15:10:54 +1200

On Tue, 16 Jun 2009 16:14:27 +0200, Alberto Cappadonia
<alberto.cappadonia_at_polito.it> wrote:
> Dear squid users,
>
> we are developing a Java-based tool to analyse content filtering rules
> (acl, http_access,...) for squid.
>
> The objective is to provide administrators with a tool able to help them
> in identifying potential mistakes in the squid configuration.
>
> More in detail, the aims are:
> - identifying conflicts and anomalies in squid configuration file
> - presenting anomalies to the administrators for further decisions
> (e.g., mistakenly empty rules, acl intersection areas, hidden rules)
> - optimising rules by removing redundant or shadowed rules
>
> The conflict model is the geometric/algebraic one presented in this
paper:
> http://security.polito.it/doc/pub_r/policy2008.pdf
>
> The tool fully supports basic set operations for all the acl types in
> squid v3.0 (IP addresses, ports, proto and all the ones based on regular
> expressions, ...).
>
>
> The workflow of the tool is briefly:
> - read and parse squid.conf for content filtering rules (internal
> geometric rule representation)
> - analyse rules for potential conflicts and anomalies
> - interact with the administrators
> - export the optimised and anomaly-free squid.conf
>
>
> We finished the conflict detector and resolver engine, the parser and we
> are improving the GUI for reporting the anomalies to administrators. We
> guess we will have the beta version in a couple of week.
>
>
> We will be glad if you can give your opinion about the tool (especially
> about improvement and integrations) in order to make it as effective as
> possible. For this, if there is some developer/administrator that is
> interested in using/testing it (or at least providing us with a few real
> configuration files) it will be very useful.
>
> Regards,
> Cataldo Basile
> Alberto Cappadonia

Wonderful. This will make a perfect companion to the online config
validator I wrote for 3.0 (and must get to upgrading again soon for 3.1).

Is the tool able to be published for general public use anywhere? if so I
can probably reference interested people to it.

Does it handle all the options that use "ACLlist".

Amos
Received on Wed Jun 17 2009 - 03:10:59 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 17 2009 - 12:00:04 MDT