On Thu, 8 Oct 2009 12:32:51 -0400 (CDT), "Hermidio A. Rodriguez Chavez"
<hermidio.rodriguez_at_ipiscpt.rimed.cu> wrote:
> Hi all
>
> i like to give access accross my proxy based in srcdomain and src acl, i
> think srcdomain check first the reverse PTR record and src the ip, then
if
> the user pass then go internet, here's my conf and denied access to the
> user:
>
> acl src_home srcdomain pruebacorreo.domain.local
> acl src_ip src 10.1.0.24
>
> http_access allow src_ip src_home
>
> the client computer is pruebacorreo.domain.local with ip 10.1.0.24
>
> Thanks in advance
>
> Hermidio
Yes, srcdomain is based on the rDNS PTR record. Which is directly based on
the src IP.
The srcdomain + src test you have is completely redundant. Squid will check
that the IP is 10.1.0.24 and then that the srcdomain PTR record for
10.1.0.24 equals pruebacorreo.domain.local.
This is an excellent way of blocking all your users access when the DNS
admin has made a typo or changed the PTR record for the 10.1.0.24 machine.
The only noticeable benefit over using src by itself is that it can be used
along with automatic DDNS to see if the host assigned 10.1.0.24 has renewed
it's IP lease recently provided the user of that machine has not changed
the OS or hostname.
Also Note: "domain.local" is a private domain registered for Microsoft
internal NetBIOS usage (now deprecated for obsoletion) and must not be
registered in any public DNS. Client software seeking such domains the
public DNS are participating in an ongoing DDoS against the DNS root
servers. Please use a valid public domain name, they are very cheap and
sometimes free.
Amos
Received on Thu Oct 08 2009 - 21:55:49 MDT
This archive was generated by hypermail 2.2.0 : Fri Oct 09 2009 - 12:00:02 MDT