---------------------
PatchSet 11729 
Date: 2007/10/16 12:55:24
Author: amosjeffries
Branch: HEAD
Tag: (none) 
Log:
Alter policy of ICP and HTCP access to default allow only local networks

Modifies both icp_access and htcp_access from recommended 'allow all'
to a default 'deny !localnet' with a fallback default 'deny all'
if the recommended icp/htcp access are removed or commented out.

Adds localnet acl by default the RFC1918 reserved private space
to support the use of localnet acl in the above.

Members: 
	src/cf.data.pre:1.436->1.437 

Index: squid/src/cf.data.pre
===================================================================
RCS file: /cvsroot/squid/squid/src/cf.data.pre,v
retrieving revision 1.436
retrieving revision 1.437
diff -u -r1.436 -r1.437
--- squid/src/cf.data.pre	13 Oct 2007 06:53:07 -0000	1.436
+++ squid/src/cf.data.pre	16 Oct 2007 12:55:24 -0000	1.437
@@ -1,6 +1,6 @@
 
 #
-# $Id: cf.data.pre,v 1.436 2007/10/13 06:53:07 amosjeffries Exp $
+# $Id: cf.data.pre,v 1.437 2007/10/16 12:55:24 amosjeffries Exp $
 #
 # SQUID Web Proxy Cache          http://www.squid-cache.org/
 # ----------------------------------------------------------
@@ -626,10 +626,18 @@
 
 NOCOMMENT_START
 #Recommended minimum configuration:
-acl all src 0.0.0.0/0.0.0.0
+acl all src all
 acl manager proto cache_object
-acl localhost src 127.0.0.1/255.255.255.255
+acl localhost src 127.0.0.1/32
 acl to_localhost dst 127.0.0.0/8
+#
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+#
 acl SSL_ports port 443
 acl Safe_ports port 80		# http
 acl Safe_ports port 21		# ftp
@@ -686,11 +694,10 @@
 #
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 
-# Example rule allowing access from your local networks. Adapt
-# to list your (internal) IP networks from where browsing should
-# be allowed
-#acl our_networks src 192.168.1.0/24 192.168.2.0/24
-#http_access allow our_networks
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+http_access allow localnet
 
 # And finally deny all other access to this proxy
 http_access deny all
@@ -740,8 +747,8 @@
 	See http_access for details
 
 NOCOMMENT_START
-#Allow ICP queries from everyone
-icp_access allow all
+#Allow ICP queries from local networks only
+icp_access deny !localnet
 NOCOMMENT_END
 DOC_END
 
@@ -763,8 +770,10 @@
 	deny all traffic. This default may cause problems with peers
 	using the htcp or htcp-oldsquid options.
 
-#Allow HTCP queries from everyone
-htcp_access allow all
+NOCOMMENT_START
+#Allow HTCP queries from local networks only
+htcp_access deny !localnet
+NOCOMMENT_END
 DOC_END
 
 NAME: htcp_clr_access