Re: [squid-users] Problem with acl and one ip address

From: Colin Campbell <sgcccdc@dont-contact.us>
Date: Tue, 30 Oct 2001 12:33:30 +1000 (EST)

Hi,

On Mon, 29 Oct 2001, Rainer Traut wrote:

> Hi,
> we want to deny access for a single ip,

Actually you want to allow one ip to go to a restricted set of sites and
nowhere else.

> but this ip is also in another access list.
> As far as i understood the first rule that matches
> is applied, but it doesn't work...

Yes it does. You have to understand the http_access lines. If "test" is
going to "sites" he is allowed by the first http_access line. If he is
not, that line doesn't match. However the checks don't stop there. Since
the "test" ip is also part of "surf_all", whenever "test" goes somewhere
other than "sites" he will be allowed by "http_access allow surf_all".

What you need to do is:

http_access allow test sites
http_access deny test
http_access allow surf_small sites
http_access allow surf_all
http_access allow manager
http_access deny all

Now, when "test" doesn't go to "sites" he is explicitly blocked.

> this is a part of our squid.conf.
> It works, only this one ip still cann surf everywhere.
>
> acl all src 0.0.0.0/0.0.0.0
> # this ip should access only allowed sites:
> acl test src 172.27.49.48/32
> # but it's also in here:
> acl surf_all src 172.27.49.0/24
> acl surf_small src 172.27.35.0/24
> acl sites dstdomain "/usr/local/squid/etc/erlaubt.url"
> http_access allow test sites
> http_access allow surf_small sites
> http_access allow surf_all
> http_access allow manager
> http_access deny all
>
> But he still can surf everywhere.
> Why?
> An what can I do?
> it's squid 2.4 stable2 running under linux mdk kernel 2.4.8.
>
> thanks
> Rainer
>
>

Colin

--
Colin Campbell
Unix Support/Postmaster/Hostmaster
CITEC
+61 7 3006 4710
Received on Mon Oct 29 2001 - 19:33:42 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:12 MST