Re: domain-based restrictions

From: Donald McKellar <d.mckellar@dont-contact.us>
Date: Fri, 19 Jul 1996 11:51:01 +1200 (NZST)

On Thu, 18 Jul 1996, Craig Morgan wrote:

> At 9:44 am +0000 18/7/96, you wrote:
>
> >4At 11:28 18.07.96 +0200, you wrote:
> >>According to Alexander Rainchik:
> >>
> >>> Is it possible to restric access to my proxy server on
> >>> domain-based acl? I mean only users from .my.domain.com are
> >>> allowed to use cache. I can't use FQDN in 'acl src' and
> >>> 'acl domain' is just noi I'm expected :(
> >>
> >>How about this?
> >>
> >> acl localnet src 123.45.67.0/255.255.255.0
> >> acl all src 0.0.0.0/0.0.0.0
> >> http_access allow localnet
> >> http_access deny all
> >>
> >
> >Nice, but I prefer this way:
> >
> >acl localnet .my.domain.com
> >http_acces allow localnet
> >
> >so sorry it's not supported :(
>
> I think I agree with Alexander about this one, we (as a University) have
> approx. 25 class 'C' nets, so I would have to list a lot of nets, whilst a
> single 'acl domain' could cover all eventualities, even sub-domains.
>
> I've fallen on a combination of both, a fully defined list of 'acl src'
> entries for our nets and then a set of global 'acl domain' entries for
> disabling whole sets of domains.
>

But how secure do you want to be? I control the reverse lookup for our
domain (a privileged position I admit). I can make the reverse DNS lookup
for my IP number be anything I want, so I could configure my DNS to allow
my workstation access to your cache.

Donald

--
Donald McKellar				Phone: internal        6336
Computer Services Centre		       external  +64 3 364-2336
University of Canterbury		       fax       +64 3 364-2332   
New Zealand
Received on Thu Jul 18 1996 - 16:53:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:32:41 MST