On Tue, 3 Feb 2004, Leon Dippenaar wrote:

> Thank a million its much appreciated, that makes sense.. Now i think im
> not getting my acl list the correct order quite correct because the MS
> downloads are still being nailed , have a quick look below let me know
> how bad the blunder is....
>
>
> acl trust src 172.16.1.145
> acl semi_trust src 172.16.2.245
> acl lan src 172.16.0.0/255.255.0.0
> acl ras src 172.17.1.0/255.255.255.0
> acl ftp proto FTP
> acl download url_regex -i "/usr/local/squid/denydownload.txt"
> acl download-allowed dstdomain .microsoft.com
> acl porn url_regex "/usr/local/squid/etc/porn.txt"
> acl noporn url_regex "/usr/local/squid/etc/noporn.txt"


ok.

> #####Trusted Users #######
> http_access allow porn trust
> http_access allow ftp trust
> http_access allow download trust


These are more efficient if you list the ACLs in the opposite order.
Simplest ACL first. Same functionality.

http_access allow trust porn
http_access allow trust ftp
http_access allow trust download

or maybe you want to simly allow everything for the trusted user:

http_access allow trust


> ##### Allowed Download sites #########
> http_access deny !download-allowed download lan
> http_access deny !download-allowed download ras


Ok from what I can tell.


> ######Semi-Trusted#######
> http_access allow porn semi_trust
> ##### Semi-Trust DENY ####
> http_access deny ftp semi_trust
> http_access deny download semi_trust


Are you sure it is not the above rules which blocks your downloads?

> ######RAS Deny #########
> http_access deny porn ras
> http_access deny ftp ras
> http_access deny download ras


Or these?

> ##### LAN DENY #######
> http_access deny porn lan
> http_access deny ftp lan
> http_access deny download lan


Or these?

> ####### RAS Allow ########
> http_access allow ras
> ######LAN Allow###########
> http_access allow lan


Ok.


I would suggest you simplify your rules a bit. The above ruleset is
inconsistent and have the download rules duplicated in several places.

Regards
Henrik