Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
08-08-2006, 11:44 AM
|
#1
|
Member
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162
Rep:
|
Restriction using MAC address (squid) SuSE
Hi hope yo can help me i need to assign permissions on squid to the pc's that i will give internet access, but i need to use their MAC address? any idea, I've done it with ip restriction but don't know if i can do it by MAC address
Thank you!!!!
|
|
|
08-08-2006, 12:51 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by AQG
Hi hope yo can help me i need to assign permissions on squid to the pc's that i will give internet access, but i need to use their MAC address? any idea, I've done it with ip restriction but don't know if i can do it by MAC address
|
yes, you can do it... as long as your squid was compiled with this option: here's an example of mac-based ACL usage:
Code:
acl AQGMAC arp 01:02:03:04:05:06
http_access allow AQGMAC
http_access deny all
here's an example of a mixed mac-based and IP-based ACL usage:
Code:
acl AQGMAC arp 01:02:03:04:05:06
acl AQGIP src 192.168.100.103
http_access allow AQGMAC AQGIP
http_access deny all
just my ...
Last edited by win32sux; 08-08-2006 at 02:09 PM.
|
|
|
08-08-2006, 06:13 PM
|
#3
|
Member
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162
Original Poster
Rep:
|
Thanks win32sux, just one more question will it work with multiple pc's (i need minumun 500 MAC addresses)?
|
|
|
08-08-2006, 09:14 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by AQG
Thanks win32sux, just one more question will it work with multiple pc's (i need minumun 500 MAC addresses)?
|
yeah, it will work with multiple PCs... here's a simple example for 3 PCs:
Code:
# Jenny in Accounting:
acl PC001-MAC arp 01:02:03:04:05:06
acl PC001-IP src 192.168.100.101
# Bob in Sales:
acl PC002-MAC arp 02:02:03:04:05:06
acl PC002-IP src 192.168.100.102
# Cody in Engineering:
acl PC003-MAC arp 03:02:03:04:05:06
acl PC003-IP src 192.168.100.103
http_access allow PC001-MAC PC001-IP
http_access allow PC002-MAC PC002-IP
http_access allow PC003-MAC PC003-IP
http_access deny all
i think there's also a way to have the MACs and IPs listed in text files, and then have squid use them from there... that way you don't have to have a squid.conf with 500 MACs and 500 IPs in it... i'm not exactly sure how that would work, though, cuz i've never tried it... but according to this it might be as easy as using a pipe...
Last edited by win32sux; 08-08-2006 at 09:19 PM.
|
|
|
08-09-2006, 12:26 PM
|
#5
|
Member
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162
Original Poster
Rep:
|
Thanks win32sux I'll try that.
originally i've had it with it working with text files since Oct 2005 only using IP.
Hope this is not true: Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.
Now things have changed, I need this proxy to work for 30 VLAN's. Might you have an example?.
I'll post what i got as soon as i'm sure that works ok..
Thanks once again!!!!!
Last edited by AQG; 08-09-2006 at 12:38 PM.
|
|
|
08-09-2006, 12:58 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by AQG
Thanks win32sux I'll try that.
originally i've had it with it working with text files since Oct 2005 only using IP.
|
hehe, cool... BTW, if you can show me how you do that it would be greatly appreciated cuz i've never really done it and i'd like to learn how...
Quote:
Hope this is not true: Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.
|
the thing is that mac addresses don't get routed...
Quote:
Now things have changed, I need this proxy to work for 30 VLAN's. Might you have an example?.
I'll post what i got as soon as i'm sure that works ok..
|
what's a VLAN??
you're very welcome!!
|
|
|
08-09-2006, 03:19 PM
|
#7
|
Member
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162
Original Poster
Rep:
|
VLAN=Virtual Local Area Network
My server is down, i get it running today and i'll send you an example
|
|
|
08-09-2006, 03:47 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by AQG
VLAN=Virtual Local Area Network
|
yeah i had figured that much... i just wasn't sure how that works... after a quick google, it seems VLANs are done at the data link layer (layer 2)... as such, i would expect the MAC addresses to indeed be carried-over, so it should work fine i think... i believe that squid's warning is intended for layers 3 and 4... someone please correct me if i'm wrong...
Quote:
My server is down, i get it running today and i'll send you an example
|
great!!! i look forward to your post...
Last edited by win32sux; 08-09-2006 at 03:48 PM.
|
|
|
08-11-2006, 03:14 PM
|
#9
|
Member
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162
Original Poster
Rep:
|
Well still having some problems, this is what i`ve got:
*********************************************************
http_port 3128
http_port 8080
cache_mem 256 MB
cache_dir ufs /var/cache/squid 800 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
acl manager proto cache_object
acl proxysuse src 127.0.0.1/255.255.255.255
acl full_access_mac arp "/etc/squid/macfree"
acl denied_access_to_web_pages url_regex "/etc/squid/negarfree"
http_access allow full_access_mac !Paginas_Negadas
http_access deny all
icp_access allow proxysuse
icp_access allow full_access__mac
icp_access deny all
ftp_user AQG@myplace.com
cache_mgr AQG@myplace.com
visible_hostname proxysuse
httpd_accel_with_proxy on
httpd_accel_single_host on
httpd_accel_host virtual
httpd_accel_port 8080
cache_effective_user squid
cache_effective_group squid
*************************************************************
and i get the following error:
Initializing the Squid cache with the command squid -f /etc/squid/squid.conf -z ..
2006/10/08 13:03:50| ACL name 'all' not defined!
FATAL: Bungled squid.conf line 23: http_access deny all
Squid Cache (Version 2.5.STABLE10): Terminated abnormally.
but i dont see anyweher in the code a problem with:
ACL name 'all' not defined!
any ideas???
thanks
Last edited by AQG; 08-11-2006 at 03:17 PM.
|
|
|
08-11-2006, 06:08 PM
|
#10
|
Member
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162
Original Poster
Rep:
|
OK, got it working, but now it gives access to all, it does not respect the mac addresses that i put "macfree" which are supposed to be the only ones to get access to internet.
http_port 3128
http_port 8080
cache_mem 256 MB
cache_dir ufs /var/cache/squid 800 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
acl manager proto cache_object
acl proxysuse src 127.0.0.1
acl all src 0.0.0.0/0.0.0.0
acl Acceso_Completo_mac arp "/etc/squid/macfree"
acl Paginas_Negadas url_regex "/etc/squid/negarfree"
acl paginas url_regex "/etc/squid/paginas_file"
http_access allow Acceso_Completo_mac paginas !Paginas_Negadas
http_access allow paginas
http_access deny all
icp_access allow proxysuse
icp_access allow Acceso_Completo_mac
icp_access allow Paginas_Negadas
icp_access allow paginas
icp_access deny all
also i have some doubts about the order of the variables..
please help i have a deadline for monday to put this to work. i must restrict access via mac address
any help will be appreciated
|
|
|
08-12-2006, 08:02 AM
|
#11
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
try like this:
Code:
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl manager proto cache_object
acl Acceso_Completo_mac arp "/etc/squid/macfree"
acl Paginas_Negadas url_regex "/etc/squid/negarfree"
acl Paginas_Permitidas url_regex "/etc/squid/paginas_file"
http_access allow localhost
http_access deny Paginas_Negadas
http_access allow Acceso_Completo_mac Paginas_Permitidas
http_access deny all
http_reply_access allow all
icp_access deny all
http_port 8080
icp_port 0
cache_mem 256 MB
cache_dir ufs /var/cache/squid 800 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
visible_hostname proxy.example.net
|
|
|
08-14-2006, 10:51 AM
|
#12
|
Member
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162
Original Poster
Rep:
|
Ok, win32sux, what you sent me looks ok, but its not letting any traffic go through thats the "acceso_completo_mac" file which contains MAC addresses.
also have one questions regarding the code you sent me:
what does this query do? "acl QUERY urlpath_regex cgi-bin \?"
Any ideas?
thanks
|
|
|
08-14-2006, 11:17 AM
|
#13
|
Member
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162
Original Poster
Rep:
|
In order for it to let traffic out, i need to chage
"http_access deny all" to "http_access allow all"
but it won't filter the mac address file, it will just let all the mac's on my network out
Last edited by AQG; 08-14-2006 at 11:36 AM.
|
|
|
08-14-2006, 12:26 PM
|
#14
|
Member
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162
Original Poster
Rep:
|
It's definitlly not respecting the filter by MAC address
please anyone, any ideas?
like i said before it does not respect my MAC address file, is there something else that i need to compile on squid in order for it to take MAC address filtering?
I think my main problem is that i don't know how to compile with "--enable-arp-acl" how or where do i do this!!!!
Thanks!!!!
Last edited by AQG; 08-14-2006 at 12:32 PM.
|
|
|
08-14-2006, 12:29 PM
|
#15
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
is it respecting the other files?? like, Paginas_Negadas, for example??
Last edited by win32sux; 08-14-2006 at 12:33 PM.
|
|
|
All times are GMT -5. The time now is 10:31 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|