Date: Tue, 23 Mar 2004 22:42:47 +0200 From: "Toni Heinonen" <Toni.Heinonen@teleware.fi> To: <bobc@sfcei.com>, <FreeBSD-Questions@freebsd.org> Subject: RE: squid and it's config, a question Message-ID: <B36C365832C90E47A37F4FFCDDEFC46D3D5FE1@hkisrv08.tw.fi>
next in thread | raw e-mail | index | archive | help
Well, you're only matching "not-my-network". You should have more =
http_access commands, even by default. Show the rest of them. I think =
this would be more appropriate:
http_access allow internal
http_access deny all
That would first let the right people surf, and then deny everything =
else.
--=20
TONI HEINONEN
TELEWARE OY
+358 40 836 1815 / +358 (9) 3434 9110
It=E4keskuksen Maamerkki
00930 Helsinki, Finland
toni@teleware.fi / www.teleware.fi
> -----Original Message-----
> From: bobc@sfcei.com [mailto:bobc@sfcei.com]
> Sent: Tuesday, March 23, 2004 10:18 PM
> To: FreeBSD-Questions@freebsd.org
> Subject: squid and it's config, a question
>=20
>=20
> I am looking to set up squid proxy for my lan, and think I have a
> correct config to make sure the proxy is not open. I am=20
> asking the list
> as opposed to the squid lists, as I prefer to ask the FBSD list first
> when it is somewhat FBSD related. I will be running this on a FBSD 4.9
> box. This box has two NICs in it, one connected to the router=20
> and one to
> the lan.
>=20
> After looking through the docs, I think I am correct in listing the
> internal network 10.1.1.x 255.0.0.0 as such:
>=20
> acl internal src 10.1.1.0/24
> http_access deny !internal
>=20
> I placed the above at the start of the file to jump right in=20
> and get this
> set. And further into the squid.conf file the following:
>=20
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 10.1.1.5/255.0.0.0
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>=20
> Here the squid server will be IP 10.1.1.5 255.0.0.0. I have no
> references to localhost as 127.0.0.1r, and no references to=20
> the external
> IP in this file anywhere. I am assuming, perhaps incorrectly which is
> often the case for me :-), that this should be sufficient and=20
> safe from
> being open to the world.
>=20
> Thank you very much for your time and patience with this. And=20
> yes I did
> RTFM, but I want to be sure as sometimes the FM is beyond me.
> --
> Bob
>=20
> "Play is the work of children. It's very serious stuff. And if it's
> properly structured in a developmental program, children can blossom."
> -Bob Keeshan aka `Captain Kangaroo'
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to=20
> "freebsd-questions-unsubscribe@freebsd.org"
>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B36C365832C90E47A37F4FFCDDEFC46D3D5FE1>