Re: Managing large http_access lists: alternative methods

From: Lincoln Dale <ltd@dont-contact.us>
Date: Thu, 09 Apr 1998 17:01:40 +1000

In message <199804090631.BAA03045@data.mr.net>, Scott Lystig Fritchie writes:
>MRNet is operating some Squid caches which, at the moment, have no
>access restrictions on them. The goal was to make it as easy as
>possible for our customers to see the beauty and wisdom of
>participating in the cache hierarchy. That policy has worked
>moderately well for our customers ... and too well for non-customers
>who attempt to launder their connections when breaking in to Web-based
>chat systems, etc. So, it's (beyond reasonable) time to clamp down.
..

Why not implement the 'block filter' on your border routers?
one statement, and will always work.

ie. on your router interfaces that face the internet (say hssi2/0),
do something like:
   (assuming proxy ip address is 203.1.1.1, runs on port 3128/3130)
   interface hssi2/0
     ...
     ip access-group 101 in
   !
   access-list 101 permit tcp any any established
   access-list 101 deny tcp any host 203.1.1.1 eq 3128
   access-list 101 deny udp any host 203.1.1.1 eq 3130
   access-list 101 permit ip any any

thus, any additions/deletions of your customer/customer networks
doesn't require any configuration changes to your proxy.

cheers,

lincoln.
Received on Thu Apr 09 1998 - 06:12:41 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:38 MST