OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: Wolfspyre on July 28, 2023, 08:43:41 pm

Title: Squid proxy access control list question [ subtab_proxy-forward-acl uri ]
Post by: Wolfspyre on July 28, 2023, 08:43:41 pm

Howdy all!

In the squid configuration ui,


under 'Administration -> Forward Proxy ->  Access Control List'

There's a section to enumerate permitted subnets. That section is labeled
"Allowed Subnets"  with the description
"Type subnets you want to allow access to the proxy server"


There's also a section to enumerate "Unrestricted IP Addresses"  with the description
"Type IP addresses you want to allow access to the proxy server"


What's the distinction between an 'allowed' subnet, and an 'unrestricted' ip?   if there's no access/functional difference, except that the IPs are singletons; it would, (in my opinion) make for less confusion to the average admin that the two are different only in declarative scope....

however if there's more functional differences between the two definition mechanisms, it would be helpful to link to documentation somehow to illustrate the difference.

as it is now, (to me, at least) it feels like there is an implied difference between an allowed subnet, and an unrestricted address....  [ BEYOND THE BITMASK :P ]

IOW: The words "unrestricted" and "allowed" carry different implied weights/significances.. If that's intentional, it would be helpful to point the user to information explaining the difference. If it's NOT, more homogenous verbiage might be helpful to avoid being unintentionally confusing.

the way it is laid out at the moment, one is left with the impression that:

clients that fall into the in 'allowed subnets' are enabled to use the proxy, only when connecting to destinations declared in the Allowed [ TCP / SSL ] ports lists.. via squid's declared [ HTTP / HTTPS ] listening ports respectively; while clients that match the 'unrestricted ip addresses' are not bound by that limitation.

Is that the correct interpretation?

IE:

allowed subnet: 10.0.1.0/24
unrestricted ips: 10.0.1.10, 10.0.2.10
Allowed TCP Ports: 80:http 81:alt_http
Allowed SSL Ports: 443:https 444:https_alt

given the above example, is the following correct?


if 10.0.1.44 connects (transparently via nat, or otherwise) to:
- The TCP/HTTP squid endpoint requesting 8.8.8.8:80 ............. it should be permitted.
- The TCP/HTTP squid endpoint requesting 8.8.8.8:81 ............. it should be permitted.
- The SSL squid endpoint, requesting 8.8.8.8:443 ................... it should be permitted.
- The SSL squid endpoint, requesting 8.8.8.8:444 ................... it should be permitted.
- The TCP/HTTP squid endpoint requesting 1.2.3.4:8080  ......... it would NOT be permitted.
- The SSL squid endpoint, requesting 1.2.3.4:4444  ................ it would NOT be permitted.

if 10.0.1.10 connects (transparently via nat, or otherwise) to:
- The TCP/HTTP squid endpoint requesting 8.8.8.8:80 ............. it should be permitted.
- The TCP/HTTP squid endpoint requesting 8.8.8.8:81 ............. it should be permitted.
- The SSL squid endpoint, requesting 8.8.8.8:443 ................... it should be permitted.
- The SSL squid endpoint, requesting 8.8.8.8:444 ................... it should be permitted.
- The TCP/HTTP squid endpoint requesting 1.2.3.4:8080  ......... it should be permitted.
- The SSL squid endpoint, requesting 1.2.3.4:4444  ................. it should be permitted.

if 10.0.2.10 connects (transparently via nat, or otherwise) to:
- The TCP/HTTP squid endpoint requesting 8.8.8.8:80 ............. it should be permitted.
- The TCP/HTTP squid endpoint requesting 8.8.8.8:81 ............. it should be permitted.
- The SSL squid endpoint, requesting 8.8.8.8:443 ................... it should be permitted.
- The SSL squid endpoint, requesting 8.8.8.8:444 ................... it should be permitted.
- The TCP/HTTP squid endpoint requesting 1.2.3.4:8080  ......... it should be permitted.
- The SSL squid endpoint, requesting 1.2.3.4:4444  .................it should be permitted.


hopefully the example illustrates the question sufficiently :)




 

 

Title: Re: Squid proxy access control list question [ subtab_proxy-forward-acl uri ]
Post by: Amr on July 31, 2023, 03:15:26 pm

Quote

What's the distinction between an 'allowed' subnet, and an 'unrestricted' ip?

• 'allowed' subnet: the subnet(s) that's allowed to Access the proxy's service for example if u have VLANS: 10.0.1.0/24 and 10.0.2.0/24, you could allow the first by adding in the list and block access to the later by simply not adding it.
• 'unrestricted' ip: an IP that ACLs don't apply to (blacklists don't apply to it, so it can access any website)

Quote

it would be helpful to link to documentation somehow to illustrate the difference.

you can check the conf file at /usr/local/etc/squid/squid.conf or squid.conf.documented.

Title: Re: Squid proxy access control list question [ subtab_proxy-forward-acl uri ]
Post by: Wolfspyre on August 02, 2023, 04:06:02 pm

Hi Amr,
I can do lots of things.... :)
My intent here was partially to illustrate there's an unnecessary conflation that's confusing to users.

The distinction in access is 'allowed and subject to portfilters' versus 'allowed, and not restricted by destport'

afaik a subnet is a permissible unrestricted entry...
So why refer to one as an IP address entrypoint, and the other for subnets (with the implication that one may not invert that)

essentially I'm wondering why not name them " Allowed address space " and " Unrestricted address space " to illustrate that a /32 counts as a subnet....