RE: [squid-users] dstdomain acl is not working for IP addresses- squid-STABLE10
Henrik, > I realized that this IP number doesn't have a reverse lookup, but, >> in this case, how to solve the problem? If I use the IP the URL is >> loaded fine. > > The most reliable method is to add the IP to your blacklist after you have > confirmed using the IP gives the same site. > > There is no automatic means by which Squid can magically determine that > http://www.miniclip.com and http://66.165.172.181 is the same site, all it > can determine is that the two is served by the same server > (66.165.172.181). > > As already mentioned Squid assumes that if the reverse lookup of an IP > returns something then this is the main use of that IP. > > If you want to be strict about this and block every site on servers > hosting sites you have blacklisted then use the dst type ACL instead of > dstdomain. > > acl badservers dst www.miniclip.com > > will match all sites on the 66.165.172.181(www.miniclip.com) server, > including http://www.miniclip.com/ and http://66.165.172.181/ but also any > other site which may be hosted on the same server. I will use the first approach you suggested, actually I had already tested it, and I will try the others. Really thank you for your attention. Regards, Freitas
RE: [squid-users] dstdomain acl is not working for IP addresses- squid-STABLE10
On Fri, 3 Jun 2005 [EMAIL PROTECTED] wrote: I am still looking for help. I realized that this IP number doesn't have a reverse lookup, but, in this case, how to solve the problem? If I use the IP the URL is loaded fine. The most reliable method is to add the IP to your blacklist after you have confirmed using the IP gives the same site. There is no automatic means by which Squid can magically determine that http://www.miniclip.com and http://66.165.172.181 is the same site, all it can determine is that the two is served by the same server (66.165.172.181). As already mentioned Squid assumes that if the reverse lookup of an IP returns something then this is the main use of that IP. If you want to be strict about this and block every site on servers hosting sites you have blacklisted then use the dst type ACL instead of dstdomain. acl badservers dst www.miniclip.com will match all sites on the 66.165.172.181(www.miniclip.com) server, including http://www.miniclip.com/ and http://66.165.172.181/ but also any other site which may be hosted on the same server. Regards Henrik
RE: [squid-users] dstdomain acl is not working for IP addresses- squid-STABLE10
> I am still looking for help. > I realized that this IP number doesn't have a reverse lookup, but, in > this case, how to solve the problem? If I use the IP the URL is > loaded fine. Perhaps an external acl which does - a reverse DNS lookup for IP addresses, and denies domains without a reverse DNS - Compares the rDNS lookup with your blacklist Joost
RE: [squid-users] dstdomain acl is not working for IP addresses- squid-STABLE10
Hello, >> Hello, >> >> squid-STABLE10 ( compiled from the official source ) >> Linux - Slackware >> >> I am having troubles with dstdomain acl. >> I have already looked at my confs and they seen to be correct. >> Could someone, please, help me to find what is the problem? >> >> My conf, and some example of files used there, are at the bottom. >> >> Lets use, arbitrary, for example, the domain: miniclip.com >> >> As could be seen in confs, I have this domain in dst_a(acl), but if >> I try to acess www.miniclip.com using 66.165.172.181 ip address it >> loads with no problem. >> > > You might have picked a bad example... 66.165.172.181 does not have any > in-addr.arpa information associated with it. In other words, a reverse > lookup for 66.165.172.181 does not return a hostname. No way for squid to > know that they are one and the same. I am still looking for help. I realized that this IP number doesn't have a reverse lookup, but, in this case, how to solve the problem? If I use the IP the URL is loaded fine. >> I have tried some regex to get ip addresses in url_regex acl, but I >> got some problems, as, for example, hotmail. When trying to download >> files there, the URL is generated using ip addresses and gets >> blocked. So, I have to get dstdomain working. >> > > Perhaps you should white list a few IP addresses (or ranges) as IP > addresses, and deny the rest by default. It is very complicated to obtain, because I have a lot of sites do block by dstdomain and I can't predict where a problem with appears with an IP address used at URL instead of server name. Did I miss something? I am still looking for a solution. Thank you for your attention. Cheers, Freitas
RE: [squid-users] dstdomain acl is not working for IP addresses- squid-STABLE10
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 31, 2005 9:41 AM > To: squid-users@squid-cache.org > Subject: [squid-users] dstdomain acl is not working for IP addresses- > squid-STABLE10 > > > Hello, > > squid-STABLE10 ( compiled from the official source ) > Linux - Slackware > > I am having troubles with dstdomain acl. > I have already looked at my confs and they seen to be correct. > Could someone, please, help me to find what is the problem? > > My conf, and some example of files used there, are at the bottom. > > Lets use, arbitrary, for example, the domain: miniclip.com > > As could be seen in confs, I have this domain in dst_a(acl), but if I > try to acess www.miniclip.com using 66.165.172.181 ip address it > loads with no problem. > You might have picked a bad example... 66.165.172.181 does not have any in-addr.arpa information associated with it. In other words, a reverse lookup for 66.165.172.181 does not return a hostname. No way for squid to know that they are one and the same. > I have tried some regex to get ip addresses in url_regex acl, but I > got some problems, as, for example, hotmail. When trying to download > files there, the URL is generated using ip addresses and gets > blocked. So, I have to get dstdomain working. > Perhaps you should white list a few IP addresses (or ranges) as IP addresses, and deny the rest by default. > I have a lot of more lines in dst_a.txt and porn_a.txt. > > Please, what did I miss? > Thank you for your attention. > > Freitas ---SNIP--- Chris