squid and it's config, a question
Toni Heinonen
Toni.Heinonen at teleware.fi
Tue Mar 23 12:41:50 PST 2004
Well, you're only matching "not-my-network". You should have more http_access commands, even by default. Show the rest of them. I think this would be more appropriate:
http_access allow internal
http_access deny all
That would first let the right people surf, and then deny everything else.
--
TONI HEINONEN
TELEWARE OY
+358 40 836 1815 / +358 (9) 3434 9110
Itäkeskuksen Maamerkki
00930 Helsinki, Finland
toni at teleware.fi / www.teleware.fi
> -----Original Message-----
> From: bobc at sfcei.com [mailto:bobc at sfcei.com]
> Sent: Tuesday, March 23, 2004 10:18 PM
> To: FreeBSD-Questions at freebsd.org
> Subject: squid and it's config, a question
>
>
> I am looking to set up squid proxy for my lan, and think I have a
> correct config to make sure the proxy is not open. I am
> asking the list
> as opposed to the squid lists, as I prefer to ask the FBSD list first
> when it is somewhat FBSD related. I will be running this on a FBSD 4.9
> box. This box has two NICs in it, one connected to the router
> and one to
> the lan.
>
> After looking through the docs, I think I am correct in listing the
> internal network 10.1.1.x 255.0.0.0 as such:
>
> acl internal src 10.1.1.0/24
> http_access deny !internal
>
> I placed the above at the start of the file to jump right in
> and get this
> set. And further into the squid.conf file the following:
>
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 10.1.1.5/255.0.0.0
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> Here the squid server will be IP 10.1.1.5 255.0.0.0. I have no
> references to localhost as 127.0.0.1r, and no references to
> the external
> IP in this file anywhere. I am assuming, perhaps incorrectly which is
> often the case for me :-), that this should be sufficient and
> safe from
> being open to the world.
>
> Thank you very much for your time and patience with this. And
> yes I did
> RTFM, but I want to be sure as sometimes the FM is beyond me.
> --
> Bob
>
> "Play is the work of children. It's very serious stuff. And if it's
> properly structured in a developmental program, children can blossom."
> -Bob Keeshan aka `Captain Kangaroo'
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list