Re: [SQU] access lists help ...again

From: Craig Fels <csfels@dont-contact.us>
Date: Mon, 18 Dec 2000 19:57:45 -0600

Make sure you put http_access deny statements FIRST! Again, the order is
very specific. If a domain matches a http_access allow statement before it
gets to the deny statement.... your users will be in MP3 heaven.

You can also try blocking port 6699, which I believe is the port Napster
uses to connect to the server. After it connects, it roams over a large
amount of ports.

A rule of thumb that I use is this for http_access statements (these are not
syntactically correct):

http_access deny for destinations blocked for EVERYONE
http_access deny for source (either IP or Proxy Auth)
http_access allow for source (either IP or Proxy Auth)
http_access allow all (or deny all depending on what you want to accomplish)

my list of denied sources is smaller than the one I'd have to create for
allowed sources. So I basically use lines 1,2, and 4 (allow) listed above.

Have fun!

Craig

----- Original Message -----
From: Xwindows User <xwindowuser@discflo.com>
To: <squid-users@ircache.net>
Cc: <squid-users@ircache.net>
Sent: Monday, December 18, 2000 6:36 PM
Subject: Re: [SQU] access lists help ...again

> I see now said the blind man, I either get rid of the subnet mask or
> use: 255.255.255.255 and it works now.....now I can't get it to filter
> out napster here is what I have :
>
> acl denied_domains dst .napster.com
>
>
> http_access deny denied_domains
>
> nothing happens it still is accessed, I have also tried this:
>
> acl denied_domains dstdomain .napster.com
> as well as :
> acl denied_domains dst www.napster.com
> and so on, any help there? thanks,
>
>
> Fels wrote:
> >
> > > ok here I go again. I have this:
> > >
> > > acl discflo src 192.168.0.0/255.255.255.0
> > > acl denied src 192.168.0.55/255.255.255.0
> > > acl all src 0.0.0.0/0.0.0.0
> > >
> > > http_access allow discflo
> > > http_access deny denied
> > > http_access deny all
> > >
> > > no one gets denied, the one I want to deny is 192.168.0.55, as you can
> > > se in the ACL.
> >
> > Okay, no one gets denied here because everything in the 192.168.0.x
subnet
> > matches the acl discflo. None of the sources, included 192.168.0.55
makes
> > it to the http_access deny line.
> >
> > Try reversing it... like this:
> >
> > http_access deny denied
> > http_access allow discflo
> > http_access deny all
> >
> > > conversely I have tried this too:
> > > with the same ACL's from above I tried:
> > >
> > > http_acces deny discflo
> > > http_access allow denied
> > > http_access deny all
> > >
> > > and noone gets access....I thought that the rules matched, it looks
like
> > > they do but I guess not. once again I am confused, thanks
> >
> > no one gets access because EVERYTHING in 192.168.0.x matches the first
> > http_access line. Therefore, everyone on this subnet gets denied.
> >
> > Hope I've helped!
> >
> > Craig
> >
> > --
> > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Mon Dec 18 2000 - 19:07:09 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:01 MST