Re: [squid-users] Peer Review of my ACL's
On Wed, 25 Feb 2004, Eric Kahklen wrote:
> As I understand ACL's, squid uses OR logic when checking the ACL
> values. Squid only searches until it finds a match in the ACL then
> stops. The access rules are different, they use AND logic and combine
> all the ACL's in the list. If none of the access rules are matched, the
> default response is the exact opposite of the last rule.[/color]
> So for example:
> acl mynetwork src 192.168.1.0
> http_access allow mynetwork
> This would only allow the 192.168.1.0 subnet, and by default it would
> DENY anything else since it wouldn't match the acl - mynetwork.[/color]
> I got confused by one in Wessels book:
> acl All src 0/0
> acl Bob ident bob
> http_access allow Bob
> http_access deny All
> First if the ident wasn't matched with bob, they would be denied.[/color]
No, the first rule only says that if the ident is bob he will be allowed.
If the ident is not bob the first http_access line does nothing and Squid
continues to the next http_access line.
> Then if it wasn't ident traffic, they'd be denied for everything else?[/color]
The second line says everything not matched above is denied.
The AND is when you have multiple acls on the same http_access line
acl mynetwork src 192.168.1.0/24
acl Bob ident bob
http_access allow mynetwork Bob
will allow the request if the source IP is in the 192.168.1.0/24 network
AND the ident is "bob".