Squid filtering with MAC addresses



  • Hello all. I am using the Squid package to supply transparent proxy for a single subnet. Pfsense is the firewall/router, supplying packet filtering and NAT services for a very small home network. On said network is a Cisco Aironet WAP that, for personal reasons, I wish to leave open. What I am trying to do is have Squid intercept HTTP requests from unknown clients and redirect them to a customized Squid error message. The curstom options I have added to squid.conf are as follows:

    acl allowed_clients arp "/var/squid/acl/allowed_clients.acl";
    http_access allow allowed_clients
    

    The ACL above contains the MAC addresses of known clients. I have heavilly modified the original ERR_ACCESS_DENIED with a custom error, but for some reason this is not working, and all users, whether in the ACL or not, are allowed on the Internet. I also have ad filtering rules in the custom options, so for simplicity I will post the squid.conf as pfsense sees it. I do not modify this directly!

    # Do not edit manually !
    http_port 10.0.0.1:3128
    http_port 127.0.0.1:3128 transparent
    icp_port 0
    
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/local/etc/squid/errors/English
    icon_directory /usr/local/etc/squid/icons
    visible_hostname firewall
    cache_mgr fifth-element.lan
    access_log /dev/null
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src  10.0.0.0/255.255.0.0
    forwarded_for off
    via off
    uri_whitespace strip
    
    cache_mem 256 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir ufs /var/squid/cache 10240 16 256
    minimum_object_size 0 KB
    maximum_object_size 1048576 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    
    # No redirector configured
    
    # Setup some default acls
    acl all src 0.0.0.0/0.0.0.0
    acl localhost src 127.0.0.1/255.255.255.255
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535
    acl sslports port 443 563
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin \?
    acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
    cache deny dynamic
    http_access allow manager localhost
    
    # Allow external cache managers
    acl ext_manager_1 src 10.0.0.1
    http_access allow manager ext_manager_1
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    http_access allow localhost
    
    request_body_max_size 0 KB
    reply_body_max_size 0 deny all
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow all
    
    # Custom options
    acl allowed_clients arp "/var/squid/acl/allowed_clients.acl"
    http_access allow allowed_clients
    deny_info http://10.0.0.1/4x4.gif blacklist
    # Block access to blacklist domains
    http_access deny blacklist
    # Setup allowed acls
    # Allow local network(s) on interface(s)
    http_access allow localnet
    # Default block all to be sure
    http_access deny all
    
    

    Am I missing something? Standing by with a face-palm…



  • Hi,

    if I understand you correct than you will block clients by their MAC-address with squid ?
    As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.



  • Captive portal would do the job, it has the mac-list filtering capability



  • @Nachtfalke:

    Hi,

    if I understand you correct than you will block clients by their MAC-address with squid ?
    As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.

    Squid has no problem using MAC addresses in ACLs. From the Squid webpage:

    	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
    	  # The arp ACL requires the special configure option --enable-arp-acl.
    	  # Furthermore, the ARP ACL code is not portable to all operating systems.
    	  # It works on Linux, Solaris, Windows, FreeBSD, and some
    	  # other *BSD variants.
    	  # [fast]
    	  #
    	  # NOTE: Squid can only determine the MAC address for clients that are on
    	  # the same subnet. If the client is on a different subnet,
    	  # then Squid cannot find out its MAC address.
    
    

    As far as the captive portal goes, sorta overkill for what I'm tryin to do. Thanks for the info, though.



  • @Maxamoto:

    @Nachtfalke:

    Hi,

    if I understand you correct than you will block clients by their MAC-address with squid ?
    As far as I know squid can only handle IPs. So your acl should contain IPs and not MAC-addresses.

    Squid has no problem using MAC addresses in ACLs. From the Squid webpage:

    	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
    	  # The arp ACL requires the special configure option --enable-arp-acl.
    	  # Furthermore, the ARP ACL code is not portable to all operating systems.
    	  # It works on Linux, Solaris, Windows, FreeBSD, and some
    	  # other *BSD variants.
    	  # [fast]
    	  #
    	  # NOTE: Squid can only determine the MAC address for clients that are on
    	  # the same subnet. If the client is on a different subnet,
    	  # then Squid cannot find out its MAC address.
    
    

    As far as the captive portal goes, sorta overkill for what I'm tryin to do. Thanks for the info, though.

    Hi,

    thanks for your repley and this really good information about MAC addresses in squid!

    Did you check if the acl your created has the correct rights so squid could read the file ?

    If ound this on the net:

    To use ARP (MAC) access controls, you first need to compile in the optional code.
    Do this with the --enable-arp-acl configure option:
    % ./configure --enable-arp-acl ...
    % make clean
    % make
    

    Not sure if the package is compiled this way - or did you do that for your squid installation ?



  • Yeah, the ACL is what I'm wondering about. Can't add it directly to squid.conf, as it gets rewritten after reboot, but I am adding it to the custom options box like so:

    # Custom options
    acl allowed_clients arp "/var/squid/acl/allowed_clients.acl"
    http_access allow allowed_clients
    deny_info http://10.0.0.1/4x4.gif blacklist
    # Block access to blacklist domains
    http_access deny blacklist
    

    The 'allowed_clients.acl contains the MAC addresses of allowed clients, obviously. I know it works, because the ads were getting my custom error, whereas before they were being stripped entirely from the pages. It's clearly being bungled by me somehow. Just trying to figure out the proper formatting to accomplish this.



  • Has anyone been able to get this work? I tried it and didn't work for me either. I even set it up so the default allow subnet rule would be at the end of the conf file with no luck.



  • Mac filtering will only work on same network segment squid is listening on.



  • @marcelloc:

    Mac filtering will only work on same network segment squid is listening on.

    When I tested it this morning, they were both on the same subnet



  • Hi,

    What's the format of your MAC acl on your "allowed_clients.acl"?

    supposed to be: your allowed_clients.acl config is:

    acl <name1>arp <mac1>acl <name2>arp <mac2>http_access allow <name1>http_access allow <name2>and put on your squid.conf before the line of http_access deny all as:

    include "/path/to/allowed_clients.acl"

    Thanks</name2></name1></mac2></name2></mac1></name1>



  • I did it this way:

    acl disallowed_clients arp "/var/squid/acl/allowed_clients.acl"
    http_access deny disallowed_clients

    then my acl had my macs as XX:XX:XX:XX:XX:XX

    I want to use it to deny certain boxes from using the internet/proxy


Log in to reply