Squid filtering with MAC addresses
-
Hello all. I am using the Squid package to supply transparent proxy for a single subnet. Pfsense is the firewall/router, supplying packet filtering and NAT services for a very small home network. On said network is a Cisco Aironet WAP that, for personal reasons, I wish to leave open. What I am trying to do is have Squid intercept HTTP requests from unknown clients and redirect them to a customized Squid error message. The curstom options I have added to squid.conf are as follows:
acl allowed_clients arp "/var/squid/acl/allowed_clients.acl"; http_access allow allowed_clients
The ACL above contains the MAC addresses of known clients. I have heavilly modified the original ERR_ACCESS_DENIED with a custom error, but for some reason this is not working, and all users, whether in the ACL or not, are allowed on the Internet. I also have ad filtering rules in the custom options, so for simplicity I will post the squid.conf as pfsense sees it. I do not modify this directly!
# Do not edit manually ! http_port 10.0.0.1:3128 http_port 127.0.0.1:3128 transparent icp_port 0 pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_directory /usr/local/etc/squid/errors/English icon_directory /usr/local/etc/squid/icons visible_hostname firewall cache_mgr fifth-element.lan access_log /dev/null cache_log /var/squid/logs/cache.log cache_store_log none shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 10.0.0.0/255.255.0.0 forwarded_for off via off uri_whitespace strip cache_mem 256 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 10240 16 256 minimum_object_size 0 KB maximum_object_size 1048576 KB offline_mode off cache_swap_low 90 cache_swap_high 95 # No redirector configured # Setup some default acls acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 1025-65535 acl sslports port 443 563 acl manager proto cache_object acl purge method PURGE acl connect method CONNECT acl dynamic urlpath_regex cgi-bin \? acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl" cache deny dynamic http_access allow manager localhost # Allow external cache managers acl ext_manager_1 src 10.0.0.1 http_access allow manager ext_manager_1 http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB reply_body_max_size 0 deny all delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow all # Custom options acl allowed_clients arp "/var/squid/acl/allowed_clients.acl" http_access allow allowed_clients deny_info http://10.0.0.1/4x4.gif blacklist # Block access to blacklist domains http_access deny blacklist # Setup allowed acls # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny all
Am I missing something? Standing by with a face-palm…
-
Hi,
if I understand you correct than you will block clients by their MAC-address with squid ?
As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses. -
Captive portal would do the job, it has the mac-list filtering capability
-
Hi,
if I understand you correct than you will block clients by their MAC-address with squid ?
As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.Squid has no problem using MAC addresses in ACLs. From the Squid webpage:
acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # The arp ACL requires the special configure option --enable-arp-acl. # Furthermore, the ARP ACL code is not portable to all operating systems. # It works on Linux, Solaris, Windows, FreeBSD, and some # other *BSD variants. # [fast] # # NOTE: Squid can only determine the MAC address for clients that are on # the same subnet. If the client is on a different subnet, # then Squid cannot find out its MAC address.
As far as the captive portal goes, sorta overkill for what I'm tryin to do. Thanks for the info, though.
-
Hi,
if I understand you correct than you will block clients by their MAC-address with squid ?
As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.Squid has no problem using MAC addresses in ACLs. From the Squid webpage:
acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # The arp ACL requires the special configure option --enable-arp-acl. # Furthermore, the ARP ACL code is not portable to all operating systems. # It works on Linux, Solaris, Windows, FreeBSD, and some # other *BSD variants. # [fast] # # NOTE: Squid can only determine the MAC address for clients that are on # the same subnet. If the client is on a different subnet, # then Squid cannot find out its MAC address.
As far as the captive portal goes, sorta overkill for what I'm tryin to do. Thanks for the info, though.
Hi,
thanks for your repley and this really good information about MAC addresses in squid!
Did you check if the acl your created has the correct rights so squid could read the file ?
If ound this on the net:
To use ARP (MAC) access controls, you first need to compile in the optional code. Do this with the --enable-arp-acl configure option: % ./configure --enable-arp-acl ... % make clean % make
Not sure if the package is compiled this way - or did you do that for your squid installation ?
-
Yeah, the ACL is what I'm wondering about. Can't add it directly to squid.conf, as it gets rewritten after reboot, but I am adding it to the custom options box like so:
# Custom options acl allowed_clients arp "/var/squid/acl/allowed_clients.acl" http_access allow allowed_clients deny_info http://10.0.0.1/4x4.gif blacklist # Block access to blacklist domains http_access deny blacklist
The 'allowed_clients.acl contains the MAC addresses of allowed clients, obviously. I know it works, because the ads were getting my custom error, whereas before they were being stripped entirely from the pages. It's clearly being bungled by me somehow. Just trying to figure out the proper formatting to accomplish this.
-
Has anyone been able to get this work? I tried it and didn't work for me either. I even set it up so the default allow subnet rule would be at the end of the conf file with no luck.
-
Mac filtering will only work on same network segment squid is listening on.
-
Mac filtering will only work on same network segment squid is listening on.
When I tested it this morning, they were both on the same subnet
-
Hi,
What's the format of your MAC acl on your "allowed_clients.acl"?
supposed to be: your allowed_clients.acl config is:
acl <name1>arp <mac1>acl <name2>arp <mac2>http_access allow <name1>http_access allow <name2>and put on your squid.conf before the line of http_access deny all as:
include "/path/to/allowed_clients.acl"
Thanks</name2></name1></mac2></name2></mac1></name1>
-
I did it this way:
acl disallowed_clients arp "/var/squid/acl/allowed_clients.acl"
http_access deny disallowed_clientsthen my acl had my macs as XX:XX:XX:XX:XX:XX
I want to use it to deny certain boxes from using the internet/proxy