No i don't think so, i won't permit

http_access allow Acceso_Completo_mac Paginas_Permitidas
to go out. So i think that if it does not take into account my MAC's then it won't permit it to go to Paginas_Permitidas nor filter the ones on Panigas_Negadas

that line creates an ACL called "QUERY" (it could be called anything) which with a regular expression for the string "cgi-bin"... when you call this ACL with "no_cache deny QUERY", you are basically telling squid to NOT cache things which are under a cgi-bin directory... it's a security issue, and it's the recommended setting in the original squid.conf...

Ok got that.

Confirming it does not take into account any other file. and it is not filtering my MAC's.

again maybe i'm not making the correct compilation like you said before (--enable-arp-acl). The thing is that i don't know how or where to do this.

?

okay, time to start troubleshooting... simplify the config, and see if it works... use a single (but real and valid) mac address... kinda like this:now the only box on the LAN which should be able to use squid is the one with mac address xx:xx:xx:xx:xx:xx... does that work fine?? if not, then perhaps you need to compile support for arp in your squid...

did you try the test above?? if so, and the test failed, then yeah it's probably compilation time... have you ever compiled source code before?? are you familiar with the ./configure && make && make install routine??

PS: you could also try to find a precompiled package for your distro... which distro is it??

quote:
did you try the test above?? if so, and the test failed, then yeah it's probably compilation time... have you ever compiled source code before?? are you familiar with the ./configure && make && make install routine??

PS: you could also try to find a precompiled package for your distro... which distro is it??

i've tryed the test above, but did not work
and i've never compiled using "./configure && make && make install routine"
my distro is SuSE 10

I appreciate your help
Thak you very much!!!!

post the output of this command:it should tell us the options your squid binary was compiled with...

This is what it gave me:


Squid Cache: Version 2.5.STABLE10
configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--with-dl' '--enable-snmp' '--enable-carp' '--enable-useragent-log' '--enable-auth=basic digest ntlm' '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB no_check' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user ldap_group unix_group wbinfo_group' '--enable-ntlm-fail-open' '--enable-referer-log' '--enable-arp-acl' '--enable-htcp' '--enable-underscores' '--enable-stacktraces' '--enable-delay-pools' '--enable-ssl' '--enable-cache-digests' '--enable-storeio=aufs,ufs,diskd,null' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--with-samba-sources=/usr/include/samba' '--enable-x-accelerator-vary' 'CFLAGS=-O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -fPIE' 'LDFLAGS=-pie'


but does not contain anything similar to "--enable-arp-acl"

well, it's right there in red... hmmm... is that the latest version of the squid package?? i'd make sure i have the latest version installed... not sure what else to tell you... maybe squid isn't getting the MAC addresses of the clients?? could you confirm that the packets that hit the squid box have MAC addresses?? to do that, just add an iptables LOG rule and check the syslog while you send some packets from a client...

Sorry to be a pain, but i'm new to this. how do i add an iptables LOG RULE.


i've got everything on "allow"

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


acl all src 0.0.0.0/0.0.0.0
acl proxysuse src 127.0.0.1/255.255.255.255
acl manager proto cache_object

acl Acceso_Completo_mac arp "/etc/squid/macfree"
acl Paginas_Negadas url_regex "/etc/squid/negarfree"
acl Paginas_Permitidas url_regex "/etc/squid/paginas_file"

http_access allow all
http_access allow Paginas_Negadas
http_access allow Acceso_Completo_mac Paginas_Permitidas
http_reply_access allow all
http_access allow all



icp_access allow proxysuse
icp_access allow Acceso_Completo_mac
icp_access allow Paginas_Negadas
icp_access allow Paginas_Permitidas

icp_access allow all

http_port 8080
icp_port 0

cache_mem 256 MB
cache_dir ufs /var/cache/squid 800 16 256

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

visible_hostname suseproxy


tcp_outgoing_address x.x.x.x

i've updated my squid to the most recent version and patch.. but now it wont resolve.

execute this command on the squid box:now ping the squid box from one of the clients, while running this command on the squid box:you should then be able to see the pings (please post them)...

what's this about?

just squid or the entire box?? in other words, are you able to ping "google.com" form the box?? what errors do you get??

i'm able to ping the squid box from the client
i'm able to ping www.google.com from the squid server

but the command tail -f /var/log/syslog wont work, becouse syslog does not exist

the ip addres i 10.16.x.x is my squid box ip address and the update was made to all the box, including in it squd.

?????????????????

!!!!!OK got it to work with one MAC !!!! just like you said.

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


acl all src 0.0.0.0/0.0.0.0
acl proxysuse src 127.0.0.1/255.255.255.255
acl manager proto http cache_object

#acl Acceso_Completo_mac arp "/etc/squid/macfree"
acl Acceso_Completo_mac arp xx:xx:xx:xx:xx:xx
#acl Paginas_Negadas url_regex "/etc/squid/negarfree"

#acl Paginas_Permitidas url_regex "/etc/squid/paginas_file"

http_access allow proxysuse
#http_access deny Paginas_Negadas
http_access allow Acceso_Completo_mac
#http_access allow Acceso_Completo_mac Paginas_Permitidas
http_access deny all
http_reply_access allow all




icp_access allow proxysuse
icp_access allow Acceso_Completo_mac
#icp_access allow Paginas_Negadas
#icp_access allow Paginas_Permitidas

icp_access deny all

http_port 8080
icp_port 0

cache_mem 256 MB
cache_dir ufs /var/cache/squid 800 16 256

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

visible_hostname suseproxy


!!!!!!!!!!!!!!!!!!!!

now i want to get it to work but have the following problems:

the structure of my net is 2 VLANS per subnet for example Subnet1 has:
VLAN_30 with the following range of ip's via dhcp 10.10.206.X
VLAN_31 with the following range of ip's via dchp 10.10.207.x


VLAN_30 has open trafic to internet, but VLAN_31 has to pass through the proxy and like i said before restricted via MAC address becouse of the dhcp.
question: could it be possible that if i put my proxy connected to the very last switch/router of my net (the last one of my net before it goes out to internet) that my proxy will filter all my MAC's.

ps. win32sux thanks what you told me was correct my problem was my firewall.