Muhammad Sharfuddin wrote:
> Squid Cache: Version 2.7.STABLE5
>
> 'allowed_websites.txt' is a text file, contains some websites that every
> one can access.
> 'ipes.txt' is a text file, contains my LAN IPes.
> 'skype_servers_ip.txt' is a text file, contains almost 65 IPes of skype
> servers. I found the skype IPes from squid log, and as per squid log,
> skype connect to these server via 'CONNECT skype_server_ip:443'
>
> I just want to allow 'allowed_websites' and skype to my lan
>
> acl allowed_websites url_regex -i "/etc/squid/allowed_websites.txt"
> http_access allow allowed_websites
>
> acl skype_servers_ip dst "/etc/squid/skype_servers_ip.txt"
> http_access allow skype_servers_ip
>
> acl mynet src "/etc/squid/ipes.txt"
> http_access deny mynet
>
> skype is not working on client side.. and the reason is clear, as per
> squid logs, every time skype connects to a different/another
> server(which is obviously not listed in 'skype_servers_ip.txt'), and
> then I have to add those servers into 'skype_servers_ip.txt', so its a
> never-ending excercise.
>
> In short, skype connects to its servers via IPes, and not via
> domains(e.g MSN-Messenger connects to .live.messenger.com
> or .live.hotmail.com', so by allowing these domains, MSN-Messenger can
> work)
>
> please advise/suggest, how can I acheive my target.
You cannot. As you noticed its a fast moving target.
Every new Skype customer and every Skype customer on Dialup means more
IPs you need to add to your whitelist.
The only way to get there is to whitelist the source of the connection
(your safe clients) skype access, but allow them to connect outward to
anyone. (CONNECT + dstdom_regex with an IP matching pattern).
You might get around the inbound problem by writing a script to watch
what IPs they connect out to frequently and allow those inbound. But
that is not really safe either since Skype connections are a P2P
protocol. Hopping from one PC to the next until a link is made to the
real destination and it settles down.
Amos
>
> Regards
> --ms
>
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13Received on Tue Aug 18 2009 - 12:34:51 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 18 2009 - 12:00:03 MDT