Hi,
Thanks, that pointed me in a better direction...
I now have SquidGuard doing the access control - almost...
I have a squid.conf acl as follows
acl localnet src 192.168.5.0/26
and the relevant access line as follows
http_access allow localnet
Here is my squidGuard.conf
===================================
source FullAccess {
ip 192.168.5.56
}
source localnet {
ip 192.168.5.0/26
}
destination banks {
urllist Banks.desturllist
domainlist Banks.destdomainlist
}
destination bl_gambling {
urllist blacklists/gambling/urls
domainlist blacklists/gambling/domains
log gambling.log
}
destination bl_porn {
urllist blacklists/porn/urls
domainlist blacklists/porn/domains
log porn.log
}
destination bl_drugs {
urllist blacklists/drugs/urls
domainlist blacklists/drugs/domains
log drugs.log
}
acl {
#localnet {
# pass Banks in-addr
#}
FullAccess {
pass !bl_gambling !bl_porn !bl_drugs
redirect http://proxy.domain
}
localnet {
pass !bl_gambling !bl_porn !bl_drugs banks
redirect http://proxy.domain/1
}
#localnet {
# pass none
# redirect http://proxy.domain/2
#}
default {
pass none
redirect http://proxy.domain/default
}
}
===================================
This is what I'm trying to achieve...
3 test sites
www.suidguard.com (not listed in any of the access lists)
www.standardbank.co.za (listed as standardbank.co.za in
"Banks.destdomainlist" and as www.standardbank.co.za in "Banks.desturllist")
www.casino.com (listed as casino.com in "domainlist
blacklists/gambling/domains"
2 test IPs that I'm using are 192.168.5.56 & 192.168.5.55
my aim is...
192.168.5.55 - www.suidguard.com - to be denied
192.168.5.55 - www.standardbank.co.za - to be allowed
192.168.5.55 - www.casino.com - to be denied
192.168.5.56 - www.suidguard.com - to be allowed (IP in FullAccess list)
192.168.5.56 - www.standardbank.co.za - to be allowed
192.168.5.56 - www.casino.com - to be denied
What is currently happening...
192.168.5.55 - www.suidguard.com - is being allowed (this is the main prob
now - IP NOT in FullAccess list)
192.168.5.55 - www.standardbank.co.za - is being allowed (this is fine)
192.168.5.55 - www.casino.com - is being denied & redirected to
http://malproxy.maltoy.co.za/1 (correct)
192.168.5.56 - www.suidguard.com - is being allowed (correct)
192.168.5.56 - www.standardbank.co.za - is being allowed (correct)
192.168.5.56 - www.casino.com - is being denied & redirected to
http://malproxy.maltoy.co.za (correct)
Basically .55 should ONLY have access to the "Banks" sites
and .56 should have access to all except the blocked blacklists.
Please help again as I just can't seem to get this working.
Regards
------------------------
Rhys McWilliams
Network Administrator
Kerridge Computer Company Ltd. (S.A.)
Johannesburg, South Africa
Tel: +27 11 796 1000 Fax: +27 11 796 1100
http://www.kerridge.co.za/
mailto:[EMAIL PROTECTED]
----------
From: Patrick Boutilier <[EMAIL PROTECTED]>
Sent: Tue 2004/11/23 13:40
To: Rhys McWilliams <[EMAIL PROTECTED]>
Subject: Re: SquidGuard (1.2.0) and Squid (2.5.STABLE6-3) on Fedora Core 3
Rhys McWilliams wrote:
> Hi,
>
> I've been struggling with this for a few days now...
The squid ACLs take precedence over squidGuard. If squid is configured
to "deny all" that is what will happen. SquidGuard is a filter that
works in conjunction with Squid. Reset up the Squid acls the way you had
them working before and test SquidGuard that way. For example try to go
to a site that you believe should be blocked.
<snip>
*********************************************************************
Disclaimer
This e-mail transmission is confidential and intended solely for the
person or organization to whom it is addressed. If you are not the
intended recipient, you must not copy, distribute or disseminate the
information, or take any action in reliance of it. Any views expressed
in this message are those of the individual sender, except where the
sender specifically states them to be the views of any organization or
employer. If you have received this message in error, do not open any
attachment but please notify the sender (above) deleting this message
>from your system. Please rely on your own virus check no
responsibility is taken by the sender for any damage arising out of
any bug or virus infection.
*********************************************************************
