On 02/11/10 20:18, Edmonds Namasenda wrote:
> Hello Amos, I emailed the content below to the users mailing list but
> kept getting bounced messages about "MIME Content" so I chose to email
> you privately for help. Hope it is okay.
Reply sent on-list.
Set your emailer not to include a web page along with the email text and
the list will stop rejecting your mail.
>
> ##########
> Hello All.
> I request for help using openSuSe 11.2, Squid 3.0 and Shorewall 2.2.2
> (Old version but working fine for me so far).
> There are three networks (subnets) planned
> Local LAN: 10.100.#.0/24 <http://10.100.10.0/24> aka lLAN
> Local WAN: 192.168.#.0/24 <http://192.168.7.0/24> aka lWAN
> VPN APN: 10.208.#.0/24 <http://10.208.6.0/24> aka vAPN
>
> VPN Router: 41.2##.###.### (External Interface), 192.168.#.# (Internal
> Interface)
>
> Currently, we use the router to connect lWAN for I.P application servers
> to vAPN users and internet access to both lWAN & vAPN.
> I saw a need for another network, lLAN, to segment the local users from
> vAPN users although both users must access certain services on lWAN.
> Please correct me but I believe this is achievable and I want to use
> Squid as a transparent proxy to control downloads and limit access to
> some websites to certain times.
>
> My squid.conf ACLs.
>
> acl net_ed src 10.100.#.0/24 192.168.#.0/24 10.208.#.0/24 # The three
> networks
> acl whrs1 time MTWHF 9:00-12:59 # Morning time to limit some
> websites & control downloads
> acl whrs2 time MTWHF 13:00-16:59 # Afternoon time to limit some
> websites & control downloads
> acl nowww dstdomain "/etc/squid/noWWW" # Path to file of limited websites
> acl nodwnld urlpath_regex "/etc/squid/noDWNLD" # Path to file of
> controlled downloads
>
> My squid.conf http_access
> http_access deny nowww whrs1 whrs2
> http_access deny nodwnld whrs1 whrs2
> http_access allow net_ed
>
> Content in /etc/squid/noWWW
> .friendstar.com
> .metacafe.com
> .myspace.com
> .videos.google.com
> .youtube.com
> .facebook.com
> .twitter.com
> .yousex.com
>
> Content in /etc/squid/noDWNLD
> \.exe$
> \.zip$
> \.gz$
> \.bz2$
> \.mp3$
> \.avi$
> \.mp4$
> \.mpg$
> \.mpeg$
> \.rar$
> \.ram$
> \.rpm$
> \.wav$
> \.cda$
> \.wma$
> \.wmv$
> \.flv$
> \.fla$
>
> I would like to add an ACL to allow specific 192.168.#.0/24 addresses to
> the internet directly before putting a redirect rule in shorewall to
> force all other addresses to use the proxy.
You seem to be asking how to bypass the proxy from inside. That is not
possible. The firewall needs to do bypass before anything gets near the
proxy.
If you meant that some IPs need to get web access without the download
and site restrictions. That is just an ACL listing the IPs and allowing
them access first before applying the extra restrictions for others.
>
> My redirect rules in shorewall are
> 1. ACCEPT $FW net tcp www
> 2. REDIRECT loc 3128 tcp www - !192.168.#.#
>
>
> What I do not want is for users to be able to access the internet when
> they change IPs back to lWAN.
> And I would like to add an ACL for some lLAN addresses to access the
> internet without any restrictions.
>
> Please note that all those networks are sharing switches and / or router.
> I could separate the networks accordingly with a switch but how do I
> achieve access to all networks as necessary.
>
I have not used shorewall in over 5 years now. I find it's layered
abstraction maps more confusing than the iptables commands. Sorry, I
cant help with the specifics here.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.2Received on Tue Nov 02 2010 - 07:47:16 MDT
This archive was generated by hypermail 2.2.0 : Tue Nov 02 2010 - 12:00:03 MDT