From owner-freebsd-questions@FreeBSD.ORG Tue Mar 23 12:58:40 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CB4116A4CE for ; Tue, 23 Mar 2004 12:58:40 -0800 (PST) Received: from sf_pdc.bellsouth.net (adsl-068-153-193-050.sip.bct.bellsouth.net [68.153.193.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7302843D53 for ; Tue, 23 Mar 2004 12:58:39 -0800 (PST) (envelope-from bobc@sfcei.com) Received: by sf_pdc with Internet Mail Service (5.5.2448.0) id ; Tue, 23 Mar 2004 15:39:42 -0500 Message-ID: From: bobc@sfcei.com To: Toni.Heinonen@teleware.fi Date: Tue, 23 Mar 2004 15:39:38 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" cc: freebsd-questions@freebsd.org Subject: RE: squid and it's config, a question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Mar 2004 20:58:40 -0000 > Well, you're only matching "not-my-network". You should have > more http_access commands, even by default. Show the rest of > them. I think this would be more appropriate: > > http_access allow internal > http_access deny all > > That would first let the right people surf, and then deny > everything else. > acl internal src 10.1.1.0/24 > http_access deny !internal When you say "not-my-network" do you mean I defined my network, never allowed my network and then denied everything but my network? If so, I have effectively not allowed anything. No? I am trying to get a better feel for the syntax, hence my above questions. And again thanks for the patience. Then perhaps with my notes to the right: acl internal src 10.1.1.0/24 #defines my internal lan http_access allow internal #allows the internal lan access http_access deny all #denies all others As you requested here are the additional http_access lines from much further into the file. # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # acl myclients src 10.1.1.0/24 http_access allow myclients # And finally deny all other access to this proxy http_access deny all Would it be safe to drop the above 4 lines if I have already done such things at the first of the file? --Bob