> > I don't like using the default acl for my users. I'd much rather
> > identify my users and deal with them as a source group(s), and leave
> > the default acl for the people I don't know. That always seems to
> > work better.
> >
>
> I'm not working on a production box. It's just a test bed that only I
> use. I don't mind being default in that case ;-). On our production
> boxes we have acls pretty much as you've described.
I guess what I left unsaid was that I've seen things that work in
a non-default acl stop working in the default acl. I can't explain
why so I try to avoid mentioning it specifically, but you're not
going to let me get away with that. :)
It doesn't make sense, but that's pretty much the only major
difference between your config and mine, and !in-addr works here.
Rick
Mike Rambo wrote:
>
> On Wed, 2004-03-31 at 23:03, Rick Matthews wrote:
> > Mike Rambo wrote:
> > >
> > > We're trying to prevent students from bypassing our filter by using
> > > ip addresses instead of urls. It is quite unpleasant to go through
> > > and put in an ip address for every url we want to block. I've found
> > > a reference in the docs for using !in-addr in the ACL's to enforce
> > > the use of url's instead of ip addresses but it isn't working.
> > <snip>
> >
> > It works here. Let's see what could be wrong.
> >
> > > Here are the relevant sections of squidGuard.conf (possibly
> > > line-wrapped in a nasty manner).
> > >
> > > dest ipaddress {
> > > log local-block
> > > expressionlist ipaddress/expressions
> > > redirect
> > > 302:http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a\
> > > &clientname=%n&clientident=%i&srcclass=%s&targetgroup=%t&url=%u
> > > }
> > >
> > > acl {
> > > default {
> > > pass !local-block local-ok !in-addr !ipaddress !aggressive \
> > > !drugs !gambling !hacking !porn !proxy !violence !warez all
> > > }
> > > }
> >
> > I can see you're a belt AND suspenders kind of guy! :)
> >
> > When you use !in-addr you don't need a destination group of ip
> > addresses, and you don't need the ip address expressionlist.
> >
>
> Not really. The only reason both !in-addr and !ipaddress were there was
> to show how I was trying to use them. I had tried !in-addr, had no luck,
> removed it, then tried the regex expression route. I just pasted
> !in-addr back in the list to show how I had tried to use it. Sorry about
> the confusion.
>
> > I don't like using the default acl for my users. I'd much rather
> > identify my users and deal with them as a source group(s), and leave
> > the default acl for the people I don't know. That always seems to
> > work better.
> >
>
> I'm not working on a production box. It's just a test bed that only I
> use. I don't mind being default in that case ;-). On our production
> boxes we have acls pretty much as you've described.
>
> > I also think that it's much better for your users if you do not use
> > the 302: in your redirects. The process is much more intuitive for
> > them without the 302:.
> >
>
> Done.
>
> <snip>
>
> > Try those suggestions and let me know how it goes.
> >
> > Rick
>
> When I saw your config suggestion I had actually thought I'd seen where
> my error was. But I was wrong. It still doesn't work for me. I had at
> first thought that the failure was because I had no redirect active in
> the acl itself which caused matches for !in-addr to have nowhere to
> redirect. I have put the redirects up in the dest blocks because I need
> a different redirect for banner ad blocking.
>
> I'll paste the entire .conf file this time instead of only small parts.
>
> dbhome /var/squidGuard
> logdir /var/log/squidGuard
>
> dest ads {
> log ads
> domainlist blacklists/ads/domains
> urllist blacklists/ads/urls
> redirect http://10.8.16.7/1x1.gif
> }
>
> dest audio-video {
> log audio-video
> domainlist blacklists/audio-video/domains
> urllist blacklists/audio-video/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest aggressive {
> log aggressive
> domainlist blacklists/aggressive/domains
> urllist blacklists/aggressive/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest drugs {
> log drugs
> domainlist blacklists/drugs/domains
> urllist blacklists/drugs/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest forums {
> log forums
> domainlist blacklists/forums/domains
> urllist blacklists/forums/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest gambling {
> log gambling
> domainlist blacklists/gambling/domains
> urllist blacklists/gambling/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest hacking {
> log hacking
> domainlist blacklists/hacking/domains
> urllist blacklists/hacking/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest mail {
> log mail
> domainlist blacklists/mail/domains
> urllist blacklists/mail/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest porn {
> log porn
> domainlist blacklists/porn/domains
> urllist blacklists/porn/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest proxy {
> log proxy
> domainlist blacklists/proxy/domains
> urllist blacklists/proxy/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest violence {
> log violence
> domainlist blacklists/violence/domains
> urllist blacklists/violence/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest warez {
> log warez
> domainlist blacklists/warez/domains
> urllist blacklists/warez/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest local-ok {
> domainlist blacklists/local-ok/domains
> urllist blacklists/local-ok/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> dest local-block {
> log local-block
> domainlist blacklists/local-block/domains
> urllist blacklists/local-block/urls
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
> }
>
> rewrite search_engines {
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
> [EMAIL PROTECTED]://images.google.com/[EMAIL PROTECTED]://www.google.com/[EMAIL
> PROTECTED]
> }
>
> acl {
> default {
> rewrite search_engines
> pass !local-block local-ok !in-addr !aggressive !drugs
> !gambling !hacking !porn !proxy !violence !warez all
> redirect
> http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
> &srcclass=%s&targetgroup=%t&url=%u
>
> }
> }
>
> Thanks.
>
>
> Mike
>
