Squid filtering with MAC addresses

Maxamoto

Hello all. I am using the Squid package to supply transparent proxy for a single subnet. Pfsense is the firewall/router, supplying packet filtering and NAT services for a very small home network. On said network is a Cisco Aironet WAP that, for personal reasons, I wish to leave open. What I am trying to do is have Squid intercept HTTP requests from unknown clients and redirect them to a customized Squid error message. The curstom options I have added to squid.conf are as follows:

acl allowed_clients arp "/var/squid/acl/allowed_clients.acl";
http_access allow allowed_clients

The ACL above contains the MAC addresses of known clients. I have heavilly modified the original ERR_ACCESS_DENIED with a custom error, but for some reason this is not working, and all users, whether in the ACL or not, are allowed on the Internet. I also have ad filtering rules in the custom options, so for simplicity I will post the squid.conf as pfsense sees it. I do not modify this directly!

# Do not edit manually !
http_port 10.0.0.1:3128
http_port 127.0.0.1:3128 transparent
icp_port 0

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/English
icon_directory /usr/local/etc/squid/icons
visible_hostname firewall
cache_mgr fifth-element.lan
access_log /dev/null
cache_log /var/squid/logs/cache.log
cache_store_log none
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  10.0.0.0/255.255.0.0
forwarded_for off
via off
uri_whitespace strip

cache_mem 256 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 10240 16 256
minimum_object_size 0 KB
maximum_object_size 1048576 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95

# No redirector configured

# Setup some default acls
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535
acl sslports port 443 563
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin \?
acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
cache deny dynamic
http_access allow manager localhost

# Allow external cache managers
acl ext_manager_1 src 10.0.0.1
http_access allow manager ext_manager_1

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
reply_body_max_size 0 deny all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow all

# Custom options
acl allowed_clients arp "/var/squid/acl/allowed_clients.acl"
http_access allow allowed_clients
deny_info http://10.0.0.1/4x4.gif blacklist
# Block access to blacklist domains
http_access deny blacklist
# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny all

Am I missing something? Standing by with a face-palm…

Nachtfalke

Hi,

if I understand you correct than you will block clients by their MAC-address with squid ?
As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.

Metu69salemi

Captive portal would do the job, it has the mac-list filtering capability

Maxamoto

@Nachtfalke:

Hi,

if I understand you correct than you will block clients by their MAC-address with squid ?
As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.

Squid has no problem using MAC addresses in ACLs. From the Squid webpage:

	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
	  # The arp ACL requires the special configure option --enable-arp-acl.
	  # Furthermore, the ARP ACL code is not portable to all operating systems.
	  # It works on Linux, Solaris, Windows, FreeBSD, and some
	  # other *BSD variants.
	  # [fast]
	  #
	  # NOTE: Squid can only determine the MAC address for clients that are on
	  # the same subnet. If the client is on a different subnet,
	  # then Squid cannot find out its MAC address.

As far as the captive portal goes, sorta overkill for what I'm tryin to do. Thanks for the info, though.

Nachtfalke

@Maxamoto:

@Nachtfalke:

Hi,

if I understand you correct than you will block clients by their MAC-address with squid ?
As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.

Squid has no problem using MAC addresses in ACLs. From the Squid webpage:

	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
	  # The arp ACL requires the special configure option --enable-arp-acl.
	  # Furthermore, the ARP ACL code is not portable to all operating systems.
	  # It works on Linux, Solaris, Windows, FreeBSD, and some
	  # other *BSD variants.
	  # [fast]
	  #
	  # NOTE: Squid can only determine the MAC address for clients that are on
	  # the same subnet. If the client is on a different subnet,
	  # then Squid cannot find out its MAC address.

As far as the captive portal goes, sorta overkill for what I'm tryin to do. Thanks for the info, though.

Hi,

thanks for your repley and this really good information about MAC addresses in squid!

Did you check if the acl your created has the correct rights so squid could read the file ?

If ound this on the net:

To use ARP (MAC) access controls, you first need to compile in the optional code.
Do this with the --enable-arp-acl configure option:
% ./configure --enable-arp-acl ...
% make clean
% make

Not sure if the package is compiled this way - or did you do that for your squid installation ?

Maxamoto

Yeah, the ACL is what I'm wondering about. Can't add it directly to squid.conf, as it gets rewritten after reboot, but I am adding it to the custom options box like so:

# Custom options
acl allowed_clients arp "/var/squid/acl/allowed_clients.acl"
http_access allow allowed_clients
deny_info http://10.0.0.1/4x4.gif blacklist
# Block access to blacklist domains
http_access deny blacklist

The 'allowed_clients.acl contains the MAC addresses of allowed clients, obviously. I know it works, because the ads were getting my custom error, whereas before they were being stripped entirely from the pages. It's clearly being bungled by me somehow. Just trying to figure out the proper formatting to accomplish this.

Cino

Has anyone been able to get this work? I tried it and didn't work for me either. I even set it up so the default allow subnet rule would be at the end of the conf file with no luck.

marcelloc

Mac filtering will only work on same network segment squid is listening on.

Cino

@marcelloc:

Mac filtering will only work on same network segment squid is listening on.

When I tested it this morning, they were both on the same subnet

rootlurker

Hi,

What's the format of your MAC acl on your "allowed_clients.acl"?

supposed to be: your allowed_clients.acl config is:

acl <name1>arp <mac1>acl <name2>arp <mac2>http_access allow <name1>http_access allow <name2>and put on your squid.conf before the line of http_access deny all as:

include "/path/to/allowed_clients.acl"

Thanks</name2></name1></mac2></name2></mac1></name1>

Cino

I did it this way:

acl disallowed_clients arp "/var/squid/acl/allowed_clients.acl"
http_access deny disallowed_clients

then my acl had my macs as XX:XX:XX:XX:XX:XX

I want to use it to deny certain boxes from using the internet/proxy