Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
http_access allow Acceso_Completo_mac Paginas_Permitidas to go out. So i think that if it does not take into account my MAC's then it won't permit it to go to Paginas_Permitidas nor filter the ones on Panigas_Negadas
what does this query do? "acl QUERY urlpath_regex cgi-bin \?"
that line creates an ACL called "QUERY" (it could be called anything) which with a regular expression for the string "cgi-bin"... when you call this ACL with "no_cache deny QUERY", you are basically telling squid to NOT cache things which are under a cgi-bin directory... it's a security issue, and it's the recommended setting in the original squid.conf...
Quote:
# TAG: no_cache
# A list of ACL elements which, if matched, cause the request to
# not be satisfied from the cache and the reply to not be cached.
# In other words, use this to force certain objects to never be cached.
#
# You must use the word 'DENY' to indicate the ACL names which should
# NOT be cached.
#
#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
http_access allow Acceso_Completo_mac Paginas_Permitidas to go out. So i think that if it does not take into account my MAC's then it won't permit it to go to Paginas_Permitidas nor filter the ones on Panigas_Negadas
okay, time to start troubleshooting... simplify the config, and see if it works... use a single (but real and valid) mac address... kinda like this:
Code:
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl all src 0.0.0.0/0.0.0.0
acl proxysuse src 127.0.0.1/255.255.255.255
acl manager proto cache_object
acl Acceso_Completo_mac arp xx:xx:xx:xx:xx:xx
http_access allow proxysuse
http_access allow Acceso_Completo_mac
http_access deny all
http_reply_access allow all
icp_access deny all
now the only box on the LAN which should be able to use squid is the one with mac address xx:xx:xx:xx:xx:xx... does that work fine?? if not, then perhaps you need to compile support for arp in your squid...
Confirming it does not take into account any other file. and it is not filtering my MAC's.
again maybe i'm not making the correct compilation like you said before (--enable-arp-acl). The thing is that i don't know how or where to do this.
?
did you try the test above?? if so, and the test failed, then yeah it's probably compilation time... have you ever compiled source code before?? are you familiar with the ./configure && make && make install routine??
PS: you could also try to find a precompiled package for your distro... which distro is it??
quote:
did you try the test above?? if so, and the test failed, then yeah it's probably compilation time... have you ever compiled source code before?? are you familiar with the ./configure && make && make install routine??
PS: you could also try to find a precompiled package for your distro... which distro is it??
i've tryed the test above, but did not work
and i've never compiled using "./configure && make && make install routine"
my distro is SuSE 10
well, it's right there in red... hmmm... is that the latest version of the squid package?? i'd make sure i have the latest version installed... not sure what else to tell you... maybe squid isn't getting the MAC addresses of the clients?? could you confirm that the packets that hit the squid box have MAC addresses?? to do that, just add an iptables LOG rule and check the syslog while you send some packets from a client...
!!!!!!!!!!!!!!!!!!!!
now i want to get it to work but have the following problems:
the structure of my net is 2 VLANS per subnet for example Subnet1 has:
VLAN_30 with the following range of ip's via dhcp 10.10.206.X
VLAN_31 with the following range of ip's via dchp 10.10.207.x
VLAN_30 has open trafic to internet, but VLAN_31 has to pass through the proxy and like i said before restricted via MAC address becouse of the dhcp.
question: could it be possible that if i put my proxy connected to the very last switch/router of my net (the last one of my net before it goes out to internet) that my proxy will filter all my MAC's.
ps. win32sux thanks what you told me was correct my problem was my firewall.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.