+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
*nix Thread, squid acl in Technical; trying to block an ip range in squid thru webmin created an acl rogue_laptops Client Address 192.168.107.240-192.168.107.246 added it to ...
  1. #1
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    squid acl

    trying to block an ip range in squid thru webmin

    created an acl
    rogue_laptops Client Address 192.168.107.240-192.168.107.246

    added it to proxy restrictions and moved it up

    Allow manager localhost
    Deny manager
    Allow purge localhost
    Deny purge
    Deny !Safe_ports
    Deny CONNECT !SSL_ports
    Allow localhost
    Deny rogue_laptops << here
    Allow academic
    Deny all

    when i try to apply changes:

    Failed to reconfigure squid :
    2007/04/19 14:48:39| ACL name 'rogue_laptops' not defined!
    FATAL: Bungled squid.conf line 1883: http_access deny rogue_laptops
    Squid Cache (Version 2.5.STABLE9): Terminated abnormally.


    why this happening?

    cheers

    andy

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: squid acl

    rogue_laptops Client Address 192.168.107.240-192.168.107.246
    That is not the correct syntax for a squid acl definition. It should look like this:

    Code:
    acl rogue_laptops src 192.168.107.240-192.168.107.246/32

  3. #3
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: squid acl

    thats what i pasted out of webmin but in the squid.conf it looks like what you put except the /32 where'd that come from?
    it applies changes ok if i dont create a proxy restriction

  4. #4
    Joedetic's Avatar
    Join Date
    Jan 2006
    Location
    Walsall
    Posts
    1,316
    Thank Post
    6
    Thanked 13 Times in 13 Posts
    Rep Power
    22

    Re: squid acl

    Hmmm....at least it's not CISCO ACLs with wildcard masking....fun fun fun.

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: squid acl

    /32 where'd that come from
    the 'src' acl type expects ip/subnet. If you want to specific a range you must give it a range of subnets. a /32 subnet is a subnet containing 1 ip address.

  6. #6
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: squid acl

    the way webmin does things i can change it to

    acl rogue_laptops src 192.168.107.240/255.255.255.248

    but it still dont like it

    the others are like that
    acl localservers dst 192.168.0.0/255.255.0.0 127.0.0.1/255.255.255.255
    acl localserversdomains dstdomain .lsahtc.net
    acl sophosservers dst 10.36.6.20/255.255.255.255
    acl rogue_laptops src 192.168.107.240/255.255.255.248

  7. #7
    Joedetic's Avatar
    Join Date
    Jan 2006
    Location
    Walsall
    Posts
    1,316
    Thank Post
    6
    Thanked 13 Times in 13 Posts
    Rep Power
    22

    Re: squid acl

    The usual convention is for a / to be followed by the number of bits in the subnet mask, not an actual subnet mask isnt it? (or have i got the wrong end of the stick)

    ie
    /8 = 255.0.0.0
    /16 = 255.255.0.0
    /24 = 255.255.255.0
    /32 = 255.255.255.255

    So maybe you could work out the number of bits in your subnet mask and try it without the whole mask but using the slash mask instead?

  8. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: squid acl

    That's a /29.

  9. #9
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: squid acl

    well its already working with the netmasks. i'm trying block students own laptops which they're plugging into the network and getting a ip thru dhcp, but im forcing them onto a specific range with reservations. had a thought i block them if they dont have a fqdn by having a

    allowing acl fqdn srcdomain .ourdomain.lancs.sch.uk and refusing anything else but webmin is coming back with the same sort of error

  10. #10

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: squid acl

    i'm trying block students own laptops which they're plugging into the network and getting a ip thru dhcp
    Wrong tool for the job. You need to implement Network Access Control. I discussed the implmentation of this previously, either with 802.1X

    http://www.edugeek.net/index.php?nam...ewtopic&t=4767

    or using Packetfence.

    http://www.edugeek.net/index.php?nam...ewtopic&t=7650

  11. #11
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: squid acl

    network access control on the dhcp? havent got time for that. this is(was) a quick fix to stop them getting on the internet, which is why they do it.

  12. #12
    Joedetic's Avatar
    Join Date
    Jan 2006
    Location
    Walsall
    Posts
    1,316
    Thank Post
    6
    Thanked 13 Times in 13 Posts
    Rep Power
    22

    Re: squid acl

    How are they getting the WEP/WPA key?

  13. #13

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: squid acl

    Packet Fence uses ARP poisoning by default. You can use DHCP or VLAN isolation instead if prefer.

    802.1X works just like it does for WiFi, however your switches need to support it.

  14. #14
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,524
    Thank Post
    106
    Thanked 88 Times in 74 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: squid acl

    they're unplugging pcs and using the cable

  15. #15

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: squid acl

    You misunderstand how PacketFence works. Nodes must register (via their mac address) with PacketFence before they are allowed network access. This can either be automated or pre-configured or a mixture.

    In your situation you'd probably want a simple pre-configured setup.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Squid Transparent
    By Jackd in forum *nix
    Replies: 5
    Last Post: 10th October 2007, 02:12 PM
  2. Squid logs
    By srochford in forum How do you do....it?
    Replies: 12
    Last Post: 13th April 2007, 12:53 PM
  3. Squid and RM proxies
    By HodgeHi in forum Wireless Networks
    Replies: 6
    Last Post: 1st November 2006, 11:02 AM
  4. Squid beginner
    By nightowl in forum *nix
    Replies: 11
    Last Post: 19th June 2006, 08:20 PM
  5. URL rewriting with Squid?
    By ChrisH in forum *nix
    Replies: 8
    Last Post: 14th November 2005, 10:35 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •