acl src question

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

acl src question

neok
Hello everyone!

I have a network 192.168.10.0/22
I want to let the IP ranges 192.168.12.1 to 192.168.13.254 through my proxy, but not the ranges 192.168.10.1 to 192.168.11.254.
If I don't misunderstand the documentation, the correct way to do this would be:
acl mylocalnet src 192.168.12.0/24
acl mylocalnet src 192.168.13.0/24
[...]
http_access allow mylocalnet

Is this right?
Thank you

Gabriel

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: acl src question

Amos Jeffries
Administrator
On 9/08/19 1:57 am, Service MV wrote:

> Hello everyone!
>
> I have a network 192.168.10.0/22
> I want to let the IP ranges 192.168.12.1 to 192.168.13.254 through my
> proxy, but not the ranges 192.168.10.1 to 192.168.11.254.
> If I don't misunderstand the documentation
> <http://www.squid-cache.org/Versions/v4/cfgman/acl.html>, the correct
> way to do this would be:
> acl mylocalnet src 192.168.12.0/24
> acl mylocalnet src 192.168.13.0/24
> [...]
> http_access allow mylocalnet
>
> Is this right?

Close. But that would include the machines with *.0 and *.255 address
outside the range you mention wanting to match.

If your needed range does not map to nice CIDR range(s) you can set the
start and end address instead:

 acl mylocalnet src 192.168.12.1-192.168.13.254



PS. setting the LAN range(s) you want to use the proxy is what the
"localnet" ACL is there for. The values provided are just an example of
standardized ranges that will let the proxy work on most networks by
default.
 There is usually no need for a new custom name, just edit the list as
necessary for your policy. Unless you mean something else for this
custom ACL to be doing - in which case you might want to consider using
a name that makes the access rules read in a more easily interpreted way.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: acl src question

neok
Thanks Amos. The indication was useful.
Best regards

Gabriel

El vie., 9 ago. 2019 03:19, Amos Jeffries <[hidden email]> escribió:
On 9/08/19 1:57 am, Service MV wrote:
> Hello everyone!
>
> I have a network 192.168.10.0/22
> I want to let the IP ranges 192.168.12.1 to 192.168.13.254 through my
> proxy, but not the ranges 192.168.10.1 to 192.168.11.254.
> If I don't misunderstand the documentation
> <http://www.squid-cache.org/Versions/v4/cfgman/acl.html>, the correct
> way to do this would be:
> acl mylocalnet src 192.168.12.0/24
> acl mylocalnet src 192.168.13.0/24
> [...]
> http_access allow mylocalnet
>
> Is this right?

Close. But that would include the machines with *.0 and *.255 address
outside the range you mention wanting to match.

If your needed range does not map to nice CIDR range(s) you can set the
start and end address instead:

 acl mylocalnet src 192.168.12.1-192.168.13.254



PS. setting the LAN range(s) you want to use the proxy is what the
"localnet" ACL is there for. The values provided are just an example of
standardized ranges that will let the proxy work on most networks by
default.
 There is usually no need for a new custom name, just edit the list as
necessary for your policy. Unless you mean something else for this
custom ACL to be doing - in which case you might want to consider using
a name that makes the access rules read in a more easily interpreted way.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users