squid acl

[browolf]

trying to block an ip range in squid thru webmin

created an acl
rogue_laptops Client Address 192.168.107.240-192.168.107.246

added it to proxy restrictions and moved it up

Allow manager localhost
Deny manager
Allow purge localhost
Deny purge
Deny !Safe_ports
Deny CONNECT !SSL_ports
Allow localhost
Deny rogue_laptops << here
Allow academic
Deny all

when i try to apply changes:

Failed to reconfigure squid :
2007/04/19 14:48:39| ACL name 'rogue_laptops' not defined!
FATAL: Bungled squid.conf line 1883: http_access deny rogue_laptops
Squid Cache (Version 2.5.STABLE9): Terminated abnormally.


why this happening?

cheers

andy

[Geoff]

rogue_laptops Client Address 192.168.107.240-192.168.107.246

That is not the correct syntax for a squid acl definition. It should look like this:

Code:

acl rogue_laptops src 192.168.107.240-192.168.107.246/32

[browolf]

thats what i pasted out of webmin but in the squid.conf it looks like what you put except the /32 where'd that come from?
it applies changes ok if i dont create a proxy restriction

[Joedetic]

Hmmm....at least it's not CISCO ACLs with wildcard masking....fun fun fun.

[Geoff]

/32 where'd that come from

the 'src' acl type expects ip/subnet. If you want to specific a range you must give it a range of subnets. a /32 subnet is a subnet containing 1 ip address.

[browolf]

the way webmin does things i can change it to

acl rogue_laptops src 192.168.107.240/255.255.255.248

but it still dont like it

the others are like that
acl localservers dst 192.168.0.0/255.255.0.0 127.0.0.1/255.255.255.255
acl localserversdomains dstdomain .lsahtc.net
acl sophosservers dst 10.36.6.20/255.255.255.255
acl rogue_laptops src 192.168.107.240/255.255.255.248

[Joedetic]

The usual convention is for a / to be followed by the number of bits in the subnet mask, not an actual subnet mask isnt it? (or have i got the wrong end of the stick)

ie
/8 = 255.0.0.0
/16 = 255.255.0.0
/24 = 255.255.255.0
/32 = 255.255.255.255

So maybe you could work out the number of bits in your subnet mask and try it without the whole mask but using the slash mask instead?

[Geoff]

That's a /29.

[browolf]

well its already working with the netmasks. i'm trying block students own laptops which they're plugging into the network and getting a ip thru dhcp, but im forcing them onto a specific range with reservations. had a thought i block them if they dont have a fqdn by having a

allowing acl fqdn srcdomain .ourdomain.lancs.sch.uk and refusing anything else but webmin is coming back with the same sort of error

[Geoff]

i'm trying block students own laptops which they're plugging into the network and getting a ip thru dhcp

Wrong tool for the job. You need to implement Network Access Control. I discussed the implmentation of this previously, either with 802.1X

http://www.edugeek.net/index.php?nam...ewtopic&t=4767

or using Packetfence.

http://www.edugeek.net/index.php?nam...ewtopic&t=7650

[browolf]

network access control on the dhcp? havent got time for that. this is(was) a quick fix to stop them getting on the internet, which is why they do it.

[Joedetic]

How are they getting the WEP/WPA key?

[Geoff]

Packet Fence uses ARP poisoning by default. You can use DHCP or VLAN isolation instead if prefer.

802.1X works just like it does for WiFi, however your switches need to support it.

[browolf]

they're unplugging pcs and using the cable

[Geoff]

You misunderstand how PacketFence works. Nodes must register (via their mac address) with PacketFence before they are allowed network access. This can either be automated or pre-configured or a mixture.

In your situation you'd probably want a simple pre-configured setup.