Re: [squid-users] Problem with filter by MAC

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 25 Jul 2008 15:16:35 +1200 (NZST)

> I have the following configuration in my squid where as the first rule is
> that I filter through Mac address and then through IP.
>
> It works very well with almost all my clients, but with some other clients
> it does not validate the MAC. Therefore, I have to filter these clients
> through their IP. Which I do not want to enable.
>
> The lines in my squid are:
>
> +-------
> acl negados url_regex "/usr/local/squid/etc/sitios.denegados"
>
> http_access deny negados
>
> acl rednaveguexmac arp "/usr/local/squid/etc/lista.mac"
> acl rednaveguexip src "/usr/local/squid/etc/lista.ip"
>
> http_access allow rednaveguexmac
> http_access allow rednaveguexip
>
> icp_access allow rednaveguexmac
> icp_access allow rednaveguexip
> icp_access deny all
>
> htcp_access allow rednaveguexmac
> htcp_access allow rednaveguexip
> htcp_access deny all
> +-------
>
> In order to verify the MACS in my clients´ PCs. I have to check them from
> the windows on their PCs, right on the panel of control: Net connections,
> properties, or from the window of DOS. I use the command "ipconfig
> �€“all",
> or the command "getmac", and I get the same direction from all of these
> commands, even from the server Proxy I use the line:
>
> "ping -c 2 $IP_Cliente && arp -a | grep $IP_Cliente"
>
> Even though I assure myself of having copied the MAC correctly, it does
> not filter and it also denies access to the other clients.
>
> May you tell me what is wrong? Moreover, why it works with some clients,
> but it does not work with other ones?
>

MAC is a link-layer object, is only available under two circumstances:

1) The client machine is directly wired to the squid box (a switch or hub
counts as plain wire.)

2) ALL bridges, routers, and other devices between the client machine and
the squid machine have proxy-arp enabled and working. Which relays the MAC
information to squid on demand.

Sounds like some clients are wired to the same switch. Others have a
router between.

Amos
Received on Fri Jul 25 2008 - 03:16:38 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 25 2008 - 12:00:02 MDT