[squid-users] ACLs scenario

Hello,
I've been given a homework connected with ACLs in Squid. Unfortunately
there is no way to simulate the environment so I wrote acl rules off
the top of my head. So please, check it.

Probably there is a mistake in the scenario. Designers and programmers
are in the same subnet and they should have different rules which I
think is impossible. I know that it's long but I've tried to write it
clear. So please, be patient and help.

Scenario given.
President has a PC and notebook with MACs specified (08:00:27:81:08:73
and 08:00:27:84:24:BF).
Managers have three notebooks with MACs specified
(08:00:27:E7:D5:37,08:00:27:82:59:C5, 08:00:27:C3:BE:B8).
Designers and programmers have computers in 192.168.2.0 subnet
(theirPCs are DHCP clients).
An Administrator has notebook with 08:00:27:EB:D7:94 MAC.
A secretary and an accountant have PCs in 192.168.3.0 subnet.

And here are the rules which should be applied.
1. The president has unlimited access.
2. Managers are denied to access to entertainment websites
(community,movies, music, p0rn) form Monday to Sunday during the
working hours (8 - 16)
3. Designers are denied to access to entertainment websites all the
time and their cannot download movies, music, torrent and exe (except
Windows updates) files
4. Programmers are denied to access to entertainment websites all the
time and cannot access to info websites such yahoo_com, newsweek_com
during the working hours in working week.
5. An administrato has unlimitted access during the working hours.
After, he is not allowed to access to entertainment websites.
6. A secretary and an accountant are denied to access to entertainment
websites during the working hours and their cannot download any files
from the Internet except xls, doc, gif, zip, txt files.

# MY ACLs
acl presidentNotebook arp 08:00:27:84:24:BF
acl presidentPC arp 08:00:27:81:08:73
acl managerNotebook1 arp 08:00:27:E7:D5:37
acl managerNotebook2 arp 08:00:27:82:59:C5
acl managerNotebook3 arp 08:00:27:C3:BE:B8      # I don't know if it's
possible to have three MACs in one ACL?
acl designersProgrammers src 192.168.2.0/24
acl adminNotebook arp 08:00:27:EB:D7:94
acl office src 192.168.3.0/24

acl funWebsites dstdom_regex "/etc/squid/funWebsites.acl"
acl workingHours time M T W H F A S 8:00-16:00
acl workingHoursWeek time M T W H F 8:00-16:00
acl alwaysTime time M T W H F A S 00:00-24:00
acl files urlpath_regex "/etc/squid/files.acl"
acl microsoftDomain src microsoft.com
acl exeFile urlpath_regex \.[Ee][Xx][Ee]$
acl infoWebsites dstdom_regex "/etc/squid/infoWebsites"
acl officeDownload urlpath_regex "/etc/squid/office.acl
# END of ACLs

# FILES CREATED IN /etc/squid/ LOCATION
- funWebsites.acl
facebook_com   #I had to use _ instead of . because my mails were discarded
twitter_com
youtube_com
p0rn
movie
music

- files.acl
.[Ee][Xx][Ee]$
.[Aa][Vv][Ii]$
.[Mm][Pp][3]$
.[Tt][Oo][Rr][Rr][Ee][Nn][Tt]$

- infoWebsites.acl
yahoo_com
newsweek_com

- office.acl
.[Dd][Oo][Cc]$
.[Gg][Ii][Ff]$
.[Xx][Ll][Ss]$
.[Tt][Xx][Tt]$
.[Zz][Ii][Pp]$

# HTTP_ACCESS SECTION
http_access presidentNotebook allow all
http_access presidentPC allow all
http_access managerNotebook1 deny funWebsites workingHoursWeek
http_access managerNotebook2 deny funWebsites workingHoursWeek
http_access managerNotebook3 deny funWebsites workingHoursWeek  # I
dont know if it's possible to put these 3 row into 1.
http_access designersProgrammers deny funWebsites alwaysTime
http_access designersProgrammers allow microsoftDomain exeFile
http_access designersProgrammers deny files
http_access designersProgrammers deny infoWebsites workingHours
http_access adminNotebook deny funWebsites !workingHours
http_access office deny funWebsites workingHours
http_access office deny !officeDownload
http_access allow all

----------
Best regards!
Received on Fri Oct 29 2010 - 20:03:19 MDT