Securing and Managing Blue Network Cache Access with ACLs

Networking Web Proxy
1

I made changes to /var/ipfire/proxy/advanced/acls/include.acl because I needed to implement access restrictions (using Squid) among various servers within the same BLUE network.

It should be noted that a I HAVE a SMART switch can block access between BLUE servers if Squid is not active.

# Opens access GREEN
acl rete_green src 10.168.1.0/16
http_access allow IPFire_green_network rete_green



# Urls allowed for image display of IPFire Squid
# 10.168.1.0/16 = GREEN
# 10.10.1.0/16 = BLU
# .254 = IPFire
acl special_url1 url_regex ipfire.localdomain:800/squid-internal-static/
http_access allow special_url1

acl special_url2 url_regex 10.168.1.254:800/squid-internal-static/
http_access allow special_url2

acl special_url3 url_regex 10.10.1.254:800/squid-internal-static/
http_access allow special_url3

# Urls allowed for wpad.dat
acl special_url4 url_regex http://10.10.1.254:81/wpad.dat
http_access allow special_url4

acl special_url5 url_regex http://10.168.1.254:81/wpad.dat
http_access allow special_url5



# deny to the IP client network access to IPFire

acl dominio2 dstdomain ipfire.localdomain
http_access deny dominio2

acl dominio3 dstdomain 10.168.1.254
http_access deny dominio3

acl dominio5 dstdomain 10.10.1.254
http_access deny dominio5

acl dominio6 dstdomain 10.10.1.253
http_access deny dominio6

acl dominio7 dstdomain 10.10.1.252
http_access deny dominio7

It is crucial to follow the RULES SETTING ORDER. If a rule is met, everything that follows is ignored, as this is the underlying logic.

Alternatively, I have configured the same functionality through the graphical interface, as shown in the image. However, it’s important to note that if you disable URL filtering (keeping only the proxy active), the rules won’t be applied. This issue can be resolved by modifying “include.acl.”

Here is a reference image:

002 - Blocco da gui
002 - Blocco da gui748×401 9.57 KB

I have conducted numerous tests, and it appears that everything is working perfectly. I am open to any suggestions for improving the rules.

Additionally, I have noticed another issue, highlighted in the following image:

003 - porte destinazione
003 - porte destinazione715×165 5.08 KB

Thank you in advance for any advice, and have a great day.

1 Like