From owner-freebsd-questions@FreeBSD.ORG Tue Mar 23 12:41:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F95916A4CE for ; Tue, 23 Mar 2004 12:41:50 -0800 (PST) Received: from hkisrv08.tw.fi (host76-46.teleware.fi [193.65.76.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAFB643D48 for ; Tue, 23 Mar 2004 12:41:48 -0800 (PST) (envelope-from Toni.Heinonen@teleware.fi) X-MIMEOLE: Produced By Microsoft Exchange V6.0.5762.3 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 23 Mar 2004 22:42:47 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: squid and it's config, a question Thread-Index: AcQRFuhU/vM38ZeaTj6hBvjI/mxLGQAAESPA From: "Toni Heinonen" To: , Subject: RE: squid and it's config, a question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Mar 2004 20:41:50 -0000 Well, you're only matching "not-my-network". You should have more = http_access commands, even by default. Show the rest of them. I think = this would be more appropriate: http_access allow internal http_access deny all That would first let the right people surf, and then deny everything = else. --=20 TONI HEINONEN TELEWARE OY +358 40 836 1815 / +358 (9) 3434 9110 It=E4keskuksen Maamerkki 00930 Helsinki, Finland toni@teleware.fi / www.teleware.fi > -----Original Message----- > From: bobc@sfcei.com [mailto:bobc@sfcei.com] > Sent: Tuesday, March 23, 2004 10:18 PM > To: FreeBSD-Questions@freebsd.org > Subject: squid and it's config, a question >=20 >=20 > I am looking to set up squid proxy for my lan, and think I have a > correct config to make sure the proxy is not open. I am=20 > asking the list > as opposed to the squid lists, as I prefer to ask the FBSD list first > when it is somewhat FBSD related. I will be running this on a FBSD 4.9 > box. This box has two NICs in it, one connected to the router=20 > and one to > the lan. >=20 > After looking through the docs, I think I am correct in listing the > internal network 10.1.1.x 255.0.0.0 as such: >=20 > acl internal src 10.1.1.0/24 > http_access deny !internal >=20 > I placed the above at the start of the file to jump right in=20 > and get this > set. And further into the squid.conf file the following: >=20 > #Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 10.1.1.5/255.0.0.0 > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT >=20 > Here the squid server will be IP 10.1.1.5 255.0.0.0. I have no > references to localhost as 127.0.0.1r, and no references to=20 > the external > IP in this file anywhere. I am assuming, perhaps incorrectly which is > often the case for me :-), that this should be sufficient and=20 > safe from > being open to the world. >=20 > Thank you very much for your time and patience with this. And=20 > yes I did > RTFM, but I want to be sure as sometimes the FM is beyond me. > -- > Bob >=20 > "Play is the work of children. It's very serious stuff. And if it's > properly structured in a developmental program, children can blossom." > -Bob Keeshan aka `Captain Kangaroo' > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >=20