Squid filtering with MAC addresses
-
Hi,
if I understand you correct than you will block clients by their MAC-address with squid ?
As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses. -
Captive portal would do the job, it has the mac-list filtering capability
-
Hi,
if I understand you correct than you will block clients by their MAC-address with squid ?
As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.Squid has no problem using MAC addresses in ACLs. From the Squid webpage:
acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # The arp ACL requires the special configure option --enable-arp-acl. # Furthermore, the ARP ACL code is not portable to all operating systems. # It works on Linux, Solaris, Windows, FreeBSD, and some # other *BSD variants. # [fast] # # NOTE: Squid can only determine the MAC address for clients that are on # the same subnet. If the client is on a different subnet, # then Squid cannot find out its MAC address.As far as the captive portal goes, sorta overkill for what I'm tryin to do. Thanks for the info, though.
-
Hi,
if I understand you correct than you will block clients by their MAC-address with squid ?
As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.Squid has no problem using MAC addresses in ACLs. From the Squid webpage:
acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # The arp ACL requires the special configure option --enable-arp-acl. # Furthermore, the ARP ACL code is not portable to all operating systems. # It works on Linux, Solaris, Windows, FreeBSD, and some # other *BSD variants. # [fast] # # NOTE: Squid can only determine the MAC address for clients that are on # the same subnet. If the client is on a different subnet, # then Squid cannot find out its MAC address.As far as the captive portal goes, sorta overkill for what I'm tryin to do. Thanks for the info, though.
Hi,
thanks for your repley and this really good information about MAC addresses in squid!
Did you check if the acl your created has the correct rights so squid could read the file ?
If ound this on the net:
To use ARP (MAC) access controls, you first need to compile in the optional code. Do this with the --enable-arp-acl configure option: % ./configure --enable-arp-acl ... % make clean % makeNot sure if the package is compiled this way - or did you do that for your squid installation ?
-
Yeah, the ACL is what I'm wondering about. Can't add it directly to squid.conf, as it gets rewritten after reboot, but I am adding it to the custom options box like so:
# Custom options acl allowed_clients arp "/var/squid/acl/allowed_clients.acl" http_access allow allowed_clients deny_info http://10.0.0.1/4x4.gif blacklist # Block access to blacklist domains http_access deny blacklistThe 'allowed_clients.acl contains the MAC addresses of allowed clients, obviously. I know it works, because the ads were getting my custom error, whereas before they were being stripped entirely from the pages. It's clearly being bungled by me somehow. Just trying to figure out the proper formatting to accomplish this.
-
Has anyone been able to get this work? I tried it and didn't work for me either. I even set it up so the default allow subnet rule would be at the end of the conf file with no luck.
-
Mac filtering will only work on same network segment squid is listening on.
-
Mac filtering will only work on same network segment squid is listening on.
When I tested it this morning, they were both on the same subnet
-
Hi,
What's the format of your MAC acl on your "allowed_clients.acl"?
supposed to be: your allowed_clients.acl config is:
acl <name1>arp <mac1>acl <name2>arp <mac2>http_access allow <name1>http_access allow <name2>and put on your squid.conf before the line of http_access deny all as:
include "/path/to/allowed_clients.acl"
Thanks</name2></name1></mac2></name2></mac1></name1>
-
I did it this way:
acl disallowed_clients arp "/var/squid/acl/allowed_clients.acl"
http_access deny disallowed_clientsthen my acl had my macs as XX:XX:XX:XX:XX:XX
I want to use it to deny certain boxes from using the internet/proxy
