ipv6 acl access not working properly

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ipv6 acl access not working properly

anwesh tiwari
Ipv6 acl is not working as expected, if the ipv6 address of domain is unrouteable and it fallbacks to ipv4 even when its denied.

Details :
What I am trying to achieve :  I want to disable all IPv4 domain access from proxy and disable all ipv4 connections.

Here is my directives just before http_access deny all line in default squid conf.

dns_v4_first off
acl to_ipv6 dst ipv6
http_access deny !to_ipv6
http_access allow to_ipv6
 
When I browse this site using proxy
http://whatismyipv6.com

This site has ipv6 AAAA record but thats is not routed when I check. 

Here is the log 
1506526125.315    327 <publicIP> TCP_MISS/200 2486 GET http://www.whatismyipv6.com/ - HIER_DIRECT/216.64.158.90 text/html
1506526126.259    632 <publicIP> TCP_MISS/200 31738 GET http://www.whatismyipv6.com/World-IPv6-Day.jpg - HIER_DIRECT/216.64.158.90 image/jpeg

The log shows that squid is able to browse the site which is explicitly denied by http_access directive.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ipv6 acl access not working properly

Alex Rousskov
On 09/28/2017 10:10 AM, anwesh tiwari wrote:

> Ipv6 acl is not working as expected, if the ipv6 address of domain is unrouteable and it fallbacks to ipv4 even when its denied.
>
> Details :
> What I am trying to achieve :  I want to disable all IPv4 domain access from proxy and disable all ipv4 connections.
>
> Here is my directives just before http_access deny all line in default squid conf.
>
> dns_v4_first off
> acl to_ipv6 dst ipv6
> http_access deny !to_ipv6
> http_access allow to_ipv6
>
>  
> When I browse this site using proxy
> http://whatismyipv6.com <http://whatismyipv6.com/>
>
> This site has ipv6 AAAA record but thats is not routed when I check.
>
> Here is the log
> 1506526125.315    327 <publicIP> TCP_MISS/200 2486 GET http://www.whatismyipv6.com/ - HIER_DIRECT/216.64.158.90 text/html
> 1506526126.259    632 <publicIP> TCP_MISS/200 31738 GET http://www.whatismyipv6.com/World-IPv6-Day.jpg - HIER_DIRECT/216.64.158.90 image/jpeg
>
> The log shows that squid is able to browse the site which is explicitly denied by http_access directive.


I will rephrase the above question in hope that other folks on this list
can help Anwesh Tiwari to solve his actual problem rather than tell him
yet again[1] that there is nothing wrong with the ipv6 ACL:

"I expected that using a dst ipv6 ACL with http_access would block IPv4
connections originating from Squid. I now understand that my
expectations were wrong. Please help me refine my goals and configure
Squid to achieve them. Thank you."

  [1] http://bugs.squid-cache.org/show_bug.cgi?id=4777


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ipv6 acl access not working properly

Adam Majer
In reply to this post by anwesh tiwari
On 09/28/2017 06:10 PM, anwesh tiwari wrote:
> Ipv6 acl is not working as expected, if the ipv6 address of domain is
> unrouteable and it fallbacks to ipv4 even when its denied.
>
> Details : What I am trying to achieve :  I want to disable all IPv4
> domain access from proxy and disable all ipv4 connections.


You appear to be correct. The ACL behaviour is checked before
connections are attempted.

So, trying to connect to IPv4 only sites fails, as expected. But if you
have a dualstack site, like whatismyipv6.com, then it passes the ACL but
fails on the IPv6 connection. Then it falls back to Ipv4 and succeeds.

This seems to be the not very intuitive part of the ACL mechanism. ACL
guards access to squid-cache, not to the site themselves. So as long as
the ACL succeeds *before* connection is ever attempted (and sometimes it
may not even be attempted, because things are cached after all), then it
passes.

If you want to disable access to outside world on IPv4, you can disable
it outside of squid. Like via iptables or dropping IPv4 from your
network interface.

- Adam
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users