Re: Fw: [squid-users] TCP_DENIED/403 1402 GET

Sun, 23 May 2004 21:45:17 -0700 

On Mon, 24 May 2004, Jose Nathaniel Nengasca wrote:

> And by the way, 192.168.0.0/255.255.0.0 is correct? are you using class B on
> 192.168? instead of using class C?

Network classes are meaningless in the context of Squid Access Control 
Lists.  Either of the following forms will match any host assigned an IP 
address with 192.168 in the high-order octets of the source address.

        acl localnet src 192.168.0.0/16
        acl localnet src 192.168.0.0/255.255.0.0

The following acl shouldn't match anything as the netmask requires all 
octets of the IP address to be 0B.

        acl all src 0.0.0.0/255.255.255.255

The following acl matches all IP addresses.

        acl all src 0.0.0.0/0.0.0.0

The following should work.

        http_access allow localnet
        http_access deny  !localnet
        http_access allow all

Merton Campbell Crockett

> 
> ----- Original Message ----- 
> From: "Jose Nathaniel Nengasca" <[EMAIL PROTECTED]>
> To: "Squid Mailing List" <[EMAIL PROTECTED]>
> Sent: Monday, May 24, 2004 11:12 AM
> Subject: Re: [squid-users] TCP_DENIED/403 1402 GET
> 
> 
> > It seems that your netmask ACL on ALL is a bit messy, try not to use
> > 255.255.255.255, use 0.0.0.0 instead...
> >
> >
> > > Hello,
> > >
> > > I searched the archives, edited my ACLs, but I can't figure this one
> > > out. A Version 2.5.STABLE5 that seemed to be working fine is now
> > > rejecting users with an access denied message. My access log has
> > > entries like the following:
> > >
> > >
> > > 1085339278.198      2 192.168.253.14 TCP_DENIED/403 1352 GET
> > > http://slashdot.org/ - NONE/- text/html
> > > 1085340459.256      2 192.168.253.14 TCP_DENIED/403 1356 GET
> > > http://macintouch.com/ - NONE/- text/html
> > >
> > >
> > > My squid box is sitting in a DMZ behind the firewall, so I'd like to
> > > just run pretty lax security on it.  The conf file, which I'm trying to
> > > keep simple, has the following ACLs:
> > >
> > > acl all src 0.0.0.0/255.255.255.255
> > > http_access allow src 192.168.0.0/255.255.0.0
> > > http_access allow all # Added out of frustration
> > > http_access deny all
> > >
> > > Thoughts?
> > > --jorn
> >
> 
> 
> 

-- 
BEGIN:                          vcard
VERSION:                        3.0
FN:                             Merton Campbell Crockett
ORG:                            General Dynamics Advanced Information Systems;
                                Intelligence and Exploitation Systems
N:                              Crockett;Merton;Campbell
EMAIL;TYPE=internet:            [EMAIL PROTECTED]
TEL;TYPE=work,voice,msg,pref:   +1(805)497-5045
TEL;TYPE=work,fax:              +1(805)497-5050
TEL;TYPE=cell,voice,msg:        +1(805)377-6762
END:                            vcard

Reply via email to