Re: [squid-users] Acls that block by ip address and dhcp addresses

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 28 Jul 2009 19:39:37 +1200

Dylan Palmboom wrote:
> Hi
>
> I have searched all over for an answer to this but could not find
> anything...
>
> Please could someone explain to me what the best practice is when it comes
> to
> blocking ip addresses in a dhcp environment. If I block an ip address with
> eg.
>
> acl BlockedHost src 192.168.1.15
> http_access deny BlockedHost
>
> What happens one day when the ip address changes to eg. 192.168.1.18?
> Will the user with the original ip adddress no longer be blocked?
> Please let me know what other people usually do in this situation. It would
> help a lot.
>

Depending on your network you may have a few options:

  * Have the DHCP server assign a static IP to the machine being
blocked. All the DHCP servers I've seen can map a specific IP based in
EUI-64/MAC address of the requesting host. This only works for a few
specific exceptions to the general policy. It gets to be a management
nightmare with to many exceptions.

  * rDNS - if the DHCP server is either assigning "fixed" IPs to
machines listed in DNS or is updating the DNS with every IP assignment.
Squid can use the srcdomain ACL and DNS to find the registered hostname
despite the IP. This requires you getting rDNS operating correctly and
automatically on your network.

  * ARP protocol - This requires either a flat network where every
machine connects directly to the Squid box with zero intermediate boxes
(dumb switches and hubs don't count). Or network-wide proxy-ARP enabled.
   Each machine connecting to Squid can be uniquely identified by its
EUI-64 (MAC) address instead of its IP.

  * IDENT protocol - This one is simple to configure. But many firewalls
are setup to default block it by default (it can be abused by other
parties to attack the network). Returns a name for either the user
currently logged into the machine or if there is none I think it returns
the machine hostname.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
   Current Beta Squid 3.1.0.12
Received on Tue Jul 28 2009 - 07:39:52 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 28 2009 - 12:00:05 MDT