Re: Fw: [squid-users] TCP_DENIED/403 1402 GET from Merton Campbell Crockett on 2004-05-23 (squid-users)

From: Merton Campbell Crockett <mcc@dont-contact.us>
Date: Sun, 23 May 2004 21:41:48 -0700 (PDT)

On Mon, 24 May 2004, Jose Nathaniel Nengasca wrote:

> And by the way, 192.168.0.0/255.255.0.0 is correct? are you using class B on
> 192.168? instead of using class C?

Network classes are meaningless in the context of Squid Access Control
Lists. Either of the following forms will match any host assigned an IP
address with 192.168 in the high-order octets of the source address.

acl localnet src 192.168.0.0/16
acl localnet src 192.168.0.0/255.255.0.0

The following acl shouldn't match anything as the netmask requires all
octets of the IP address to be 0B.

acl all src 0.0.0.0/255.255.255.255

The following acl matches all IP addresses.

acl all src 0.0.0.0/0.0.0.0

The following should work.

        http_access allow localnet
        http_access deny !localnet
        http_access allow all

Merton Campbell Crockett

>
> ----- Original Message -----
> From: "Jose Nathaniel Nengasca" <admin@sscrmnl.edu.ph>
> To: "Squid Mailing List" <squid-users@squid-cache.org>
> Sent: Monday, May 24, 2004 11:12 AM
> Subject: Re: [squid-users] TCP_DENIED/403 1402 GET
>
>
> > It seems that your netmask ACL on ALL is a bit messy, try not to use
> > 255.255.255.255, use 0.0.0.0 instead...
> >
> >
> > > Hello,
> > >
> > > I searched the archives, edited my ACLs, but I can't figure this one
> > > out. A Version 2.5.STABLE5 that seemed to be working fine is now
> > > rejecting users with an access denied message. My access log has
> > > entries like the following:
> > >
> > >
> > > 1085339278.198 2 192.168.253.14 TCP_DENIED/403 1352 GET
> > > http://slashdot.org/ - NONE/- text/html
> > > 1085340459.256 2 192.168.253.14 TCP_DENIED/403 1356 GET
> > > http://macintouch.com/ - NONE/- text/html
> > >
> > >
> > > My squid box is sitting in a DMZ behind the firewall, so I'd like to
> > > just run pretty lax security on it. The conf file, which I'm trying to
> > > keep simple, has the following ACLs:
> > >
> > > acl all src 0.0.0.0/255.255.255.255
> > > http_access allow src 192.168.0.0/255.255.0.0
> > > http_access allow all # Added out of frustration
> > > http_access deny all
> > >
> > > Thoughts?
> > > --jorn
> >
>
>
>

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard

Received on Sun May 23 2004 - 22:45:01 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:02 MDT