+ Responder ao Tópico



  1. 12-06-2009, 14:04 #1
    halley
    halley está desconectado
    Avatar de halley
    Ingresso
    Jun 2009
    Posts
    47

    Padrão Aonde ta o erro? Não bloqueia nada...

    Fala galera,
    blz?

    Seguinte, a ideia desse meu squid é ter 2 links internet, quem estiver no arquivo ips.link1 passa pela embratel e quem esta no ips.link2 para pela mundivox..

    E teria 3 regras apenas, 1 Admin acessa tudo, 2 Usuario padrao, passa por todas as regras... e 3 - Usuariopadrao com acesso ao msn... (sendo q essa regra, nao sei como vou aplicar ainda.. to perdido)

    é minha primeira vez mexendo em squid e tal e to meio enrolado, gostaria de saber porque minhas regras nao estao sendo aplicadas... se tem algum erro e tal...

    obrigadao a todos

    http_port 3128
    visible_hostname firewall.pcebr.com.br
    cache_effective_user proxy
    cache_effective_group proxy
    cache_log /var/log/squid/cache.log
    cache_access_log /var/log/squid/access.log
    # cache_store_log /var/log/squid/store.log
    cache_mem 512 MB
    cache_dir diskd /var/spool/squid 50000 64 256 Q1=64 Q2=72
    maximum_object_size 102400 KB
    minimum_object_size 0 KB
    maximum_object_size_in_memory 100 KB
    cache_swap_low 90
    cache_swap_high 95
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    ipcache_size 1024
    ipcache_low 90
    ipcache_high 95
    fqdncache_size 1024
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    no_cache deny QUERY
    auth_param ntlm program /usr/bin/ntlm_auth = PCEBR/pcebr.com.br --helper-protocol=squid-2.5-ntlmssp
    auth_param basic program /usr/bin/ntlm_auth PCEBR/pcebr.com.br --helper-protocol=squid-2.5-basic
    auth_param basic children 20
    auth_param ntlm children 20
    auth_param ntlm keep_alive on
    auth_param basic credentialsttl 2 hours
    auth_param basic realm Proxy Server
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    dns_nameservers 208.67.222.222
    dns_nameservers 208.67.220.220

    # ACL Gerais
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    acl acesso proxy_auth REQUIRED # Solicitando a autenticação

    # ACL DIRECIONAMENTO DE LINK

    acl ips_link2 src "/etc/ips.link2"
    tcp_outgoing_address 200.196.54.49 ips_link2

    acl ips_link1 src "/etc/ips.link1"
    tcp_outgoing_address 201.73.46.49 ips_link1

    # BLOQUEIO DE SITES POR EXTENSAO

    acl msnblock dstdomain -i "/etc/squid/controle/msnblock"
    acl blacklist dstdomain "/etc/squid/controle/blacklist"
    acl extensoes url_regex -i "/etc/squid/controle/extensoes"

    ## Bloqueio de Mime ## Bloqueando requisicoes mime types.

    acl mimeblockq req_mime_type -i ^application/x-icq$
    acl mimeblockq req_mime_type -i ^application/x-comet-log$
    acl mimeblockq req_mime_type -i ^application/x-pncmd$
    acl mimeblockq req_mime_type -i ^application/x-hotbar-xip20$
    acl mimeblockq req_mime_type -i ^.AIM.
    acl mimeblockq req_mime_type -i ^application/stream$
    acl mimeblockq req_mime_type -i application/stream
    acl mimeblockq req_mime_type -i ^application/octet-stream$
    acl mimeblockq req_mime_type -i application/octet-stream
    acl mimeblockq req_mime_type -i ^application/x-mplayer2$
    acl mimeblockq req_mime_type -i application/x-mplayer2
    acl mimeblockq req_mime_type -i ^application/x-oleobject$
    acl mimeblockq req_mime_type -i application/x-oleobject
    acl mimeblockq req_mime_type -i application/x-pncmd
    acl mimeblockq req_mime_type -i ^video/x-ms-asf$
    acl mimeblockp rep_mime_type -i ^application/x-mplayer2$
    acl mimeblockp rep_mime_type -i application/x-mplayer2
    acl mimeblockp rep_mime_type -i ^application/x-oleobject$
    acl mimeblockp rep_mime_type -i application/x-oleobject
    acl mimeblockp rep_mime_type -i application/x-pncmd
    acl mimeblockp rep_mime_type -i ^video/x-ms-asf$
    acl mimeblockp rep_mime_type -i ^application/x-icq$
    acl mimeblockp rep_mime_type -i ^.AIM.
    acl mimeblockp rep_mime_type -i ^.*AIM/HTTP
    acl mimeblockp rep_mime_type -i ^application/x-comet-log$
    acl mimeblockp rep_mime_type -i ^application/x-pncmd$
    acl mimeblockp rep_mime_type -i ^application/x-chaincast$
    acl mimeblockp rep_mime_type -i ^application/x-hotbar-xip20$
    acl mimeblockp rep_mime_type -i ^application/rhythmbox$
    acl mimeblockp rep_mime_type -i application/rhythmbox

    ## Barrar downloads de multimidia - incluindo streaming de audio.
    acl useragent browser -i ^.NSPlayer.
    acl useragent browser -i ^.player.
    acl useragent browser -i ^.Windows-Media-Player.
    acl useragent browser -i ^.rhythmbox.
    acl useragentq rep_mime_type ^.video.
    acl useragentq rep_mime_type ^.audio.
    acl useragentq rep_mime_type ^.stream.

    # ACL CONTROLE DO AD

    external_acl_type nt_group ttl=1800 children=500 %LOGIN /usr/lib/squid/wbinfo_group.pl
    acl UserPadrao external nt_group Usuarios
    acl UserAdmin external nt_group Administracao
    acl UserMsn external nt_group MSNallow


    # ACL Padroes
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports

    # Acesso ACL Personalizada
    http_access allow acesso
    http_access allow ips_link1
    http_access allow ips_link2
    http_access allow UserAdmin
    http_access deny msnblock
    http_access deny blacklist
    http_access deny extensoes
    http_reply_access deny mimeblockq
    http_reply_access deny useragent
    http_reply_access deny useragentq
    http_access allow UserPadrao
    http_access allow manager localhost
    http_access deny manager
    http_access deny all

    http_reply_access allow all
    icp_access allow all

    coredump_dir /usr/local/squid/var/cache
    error_directory /usr/share/squid/errors/Portuguese
    Citação Citação
  2. 12-06-2009, 19:54 #2
    Brenno
    Brenno está desconectado
    Avatar de Brenno
    Ingresso
    Sep 2004
    Posts
    833

    Padrão

    Boa noite Amigo, Antes de mais nada voce deve fazer seu squid funcionar apenas com um link, utilizar 2 links com squid é algo que nunca conseguir, na empresa tenho dois links mas somente um sai pelo proxy, que eh rota default, o outro link sai os pacotes que marco com iptables + iproute2
    Citação Citação
  3. 12-06-2009, 20:16 #3
    halley
    halley está desconectado
    Avatar de halley
    Ingresso
    Jun 2009
    Posts
    47

    Padrão

    Fala amigo,
    sai sim por 2 links... por tcp_outgoing_address e funciona bala... o problema ta no http_access q nao to sacando... ou bloqueia geral ou libera geral rsrs.

    valeu amigo...
    Citação Citação



« Tópico Anterior | Próximo Tópico »