[Lias] squid

Craig Ringer craig at postnewspapers.com.au
Mon Nov 18 10:45:01 UTC 2002 

Parkes High School wrote:
 > Is it possible to configure the squid.conf file to block machines on my
 > network  with certain IP addresses from accessing the Internet?

It certainly is. You just add an appropriate ACL in squid.conf, or even
better you can use webmin to get a nice GUI.  On my system, if I wanted
to prevent the machine 10.0.0.1 from accessing the 'net, I'd add this to
the ACL section of squid.conf:

acl blockedhost src 10.0.0.1/255.255.255.255

"blockedhost" is the name I've given the ACL, and the blocked address
includes a 32bit netmask that means "1 host". Note that this is an ACL
that just matches the host, it does't say anything about what for.

Then I add:

http_access deny blockedhost

to the access section of squid.conf and the host will be blocked.
Similarly, to block the entire 10.0.0.0/24 block you:

acl blockednet src 10.0.0.0/255.255.255.0
(and)
http_access deny blockednet


Note: order is not significant for ACL definitions but http_access
definititions must be in order as the first match is used, much like
iptables. Squid looks at each http_access line in turn and checks "does
this apply? ok, next..." until it finds the first match and takes action
from that. So, if you want everybody on 10.0.0.x except blockednet to
have access you would have the following 2 ACLS (in any order):

acl blockedhost src 10.0.0.1/255.255.255.255
acl localnet src 10.0.0.0/255.255.255.0

and make sure that these were in the following order:

http_access deny blockedhost
http_access allow localnet
http_access deny all

IF you instead had the http_access rules in this order:

http_access allow localnet
http_access deny blockedhost
http_access deny all

then the blockedhost rule would have no effect and blockedhost would
still be allowed access, as blockedhost is also matched by localnet.

If you want more information, there's lots of documentation for Squid
both packaged with it and on the 'net.
-- 
Craig Ringer
GPG Key Fingerprint: AF1C ABFE 7E64 E9C8 FC27  C16E D3CE CDC0 0E93 380D
	-- if it ain't broke, add features 'till it is. (or:)
	while (! broken) { features ++ ; broken = isBroken(features) }

More information about the lias mailing list