Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SQUID AND ITS MAC ADDRESS ACCESS CONTROL LISTS

    Scheduled Pinned Locked Moved
    Cache/Proxy
    1
    1
    147
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by

      Did you know you can also add specific Layer 2 MAC addresses to ACLS inside of Squid Proxy Server?

      eui_lookup on

      acl ACL_NAME arp MAC ADDRESS HERE

      But that is not all because Squid uses AND as it's logic you can combine them with Layer 3 (IP addresses) also

      Example Here:

      cachemgr_passwd disable offline_toggle reconfigure shutdown
cachemgr_passwd SUPER_DUPER_SECRET_PASSWORD all
eui_lookup on
acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost
http_access allow HttpAccess localnet
http_access allow HttpAccess localhost
http_access deny manager
http_access deny to_ipv6
http_access deny from_ipv6

acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

acl splice_only src 192.168.1.8 #Tasha iPhone
acl splice_only src 192.168.1.10 #Jon iPhone
acl splice_only src 192.168.1.11 #Amazon Fire
acl splice_only src 192.168.1.15 #Tasha HP
acl splice_only src 192.168.1.16 #iPad

acl splice_only_mac arp  MAC ADDRESS HERE
acl splice_only_mac arp  MAC ADDRESS HERE
acl splice_only_mac arp  MAC ADDRESS HERE
acl splice_only_mac arp  MAC ADDRESS HERE
acl splice_only_mac arp  MAC ADDRESS HERE

acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"

acl markBumped annotate_client bumped=true
acl active_use annotate_client active=true
acl bump_only src 192.168.1.3 #webtv
acl bump_only src 192.168.1.4 #toshiba
acl bump_only src 192.168.1.5 #imac
acl bump_only src 192.168.1.9 #macbook
acl bump_only src 192.168.1.13 #dell

acl bump_only_mac arp MAC ADDRESS HERE
acl bump_only_mac arp MAC ADDRESS HERE
acl bump_only_mac arp MAC ADDRESS HERE
acl bump_only_mac arp MAC ADDRESS HERE
acl bump_only_mac arp MAC ADDRESS HERE

ssl_bump peek step1
miss_access deny no_miss active_use
ssl_bump splice https_login active_use
ssl_bump splice splice_only_mac splice_only active_use
ssl_bump splice NoBumpDNS active_use
ssl_bump splice NoSSLIntercept active_use
ssl_bump bump bump_only_mac bump_only active_use
acl activated note active_use true
ssl_bump terminate !activated

acl markedBumped note bumped true
url_rewrite_access deny markedBumped

#workers 3
#read_ahead_gap 32 KB
negative_ttl 1 second
connect_timeout 30 seconds
request_timeout 60 seconds
#half_closed_clients off
shutdown_lifetime 10 seconds
negative_dns_ttl 1 seconds
#ignore_unknown_nameservers on
#client_persistent_connections off
#server_persistent_connections off
pipeline_prefetch 100

#acl SSLIntercept ssl::server_name_regex -i "/usr/local/pkg/url.bump"
#ssl_bump bump SSLIntercept

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • First post
        Last post