On Saturday 01 April 2006 15:02, Henrik Nordstrom wrote:
> fre 2006-03-31 klockan 16:07 -0700 skrev Dmitry S. Makovey:
> > 2006/03/31 15:58:44| aclMatchAcl: checking 'acl all src
> > 1.1.1.1/255.255.255.255'
>
> What is this?? all should be defined as
>
> acl all src 0.0.0.0/0
>
> NOT
>
> 1.1.1.1/32
I know - I was eliminating possibility of having odd masks etc. so I
made "all" "very specific" so that it doesn't match my src IPs; using
0.0.0.0/0.0.0.0 has the same effect.
> > 2006/03/31 15:58:44| aclCheckFast: list: 0x86bb3f0
> > 2006/03/31 15:58:44| aclMatchAclList: checking clients
> > 2006/03/31 15:58:44| aclMatchAcl: checking 'acl clients src
> > 192.168.1.0/255.255.255.0'
> > 2006/03/31 15:58:44| aclMatchIp: '255.255.255.255' NOT found
> > 2006/03/31 15:58:44| aclMatchAclList: no match, returning 0
> > 2006/03/31 15:58:44| aclCheckFast: no matches, returning: 0
> > 2006/03/31 15:58:44| aclCheckFast: list: 0x86bb468
> > 2006/03/31 15:58:44| aclMatchAclList: checking all
> > 2006/03/31 15:58:44| aclMatchAcl: checking 'acl all src
> > 1.1.1.1/255.255.255.255'
> > 2006/03/31 15:58:44| aclMatchIp: '255.255.255.255' NOT found
>
> Unfortunately this does not tell which directive is being
> processed. But it defenitly isn't http_access.. maybe
> http_reply_access.
What debug level and for which service should I bump to get info on
which http_*access I'm dealing with?
> Any specific reason (other than the odd definiton of "all") to why
> you are using src acls in http_reply_access?
Yes - it's a restrictive reverse proxy, or gateway if you wish -
Machines are not allowed to do outbound connections themselves and
all the outbound traffic is being filtered based on network machine
belongs to and other criteria. Posted ruleset was just a beginning of
what I intend to do but even as "simple" as it is it didn't work.
-- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245
This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT