[TriLUG] from teh IRC: Squid external_acl_type stuff

Brian Henning brian at strutmasters.com
Mon Sep 11 10:09:49 EDT 2006 

Hi Gang,
   The IRC channel appears a bit quiet, so here I go with my dilemma here:

I want to be able to match against source MAC within Squid, to be able 
to enforce potentially different ACLs for different machines/users 
without relying on any sort of interactive authentication.

(Or perhaps I could use iptables to redirect to different ports (all of 
which would have listening squids) based on MAC, but that doesn't seem 
like it would scale well.)

At any rate, I wrote a very short perl script that can be given an IP 
address and a MAC address and use the arp command along with grep and 
awk to retrieve the last known MAC address from the kernel's arp table 
for the given IP and compare it to the address provided, and output "OK" 
or "ERR" for squid.

Thing is, when I enable the thing, it seems like squid never actually 
calls the external program, and just starts acting like it always 
answers with "OK" (I've even edited the perl script to unconditionally 
respond with "ERR", and squid still acts like it's answering "OK").

Below is the important part of the perl script and my squid.conf:

from /squid_mac_acl.pl:
#!/usr/bin/perl
[...]
# squid.conf docs around external_acl_type imply responses should be
# returned via stdout
print "ERR error=MACMismatch\n";

from /etc/squid/sqiud.conf:
external_acl_type macmatch %SRC /squid_mac_acl.pl
acl brian external macmatch 88:88:88:88:88:88
http_access allow brian

When the above is part of my squid.conf, the "http_access allow brian" 
basically opens carte blanche access to all hosts (very bad, of course), 
instead of only opening access to MAC address 88:88:88:88:88:88 (which 
of course doesn't actually exist on my network, and ought to result in 
denial).

/squid_mac_acl.pl has mode 0755, root:root ownership.  I've tried 
putting some code to write to a log file in the script, and nothing gets 
written to the log file when squid ought to be calling the program.

As always, all tips and hints and sources of further reading are greatly 
appreciated.

-- 
----------------
Brian A. Henning
strutmasters.com
336.597.2397x238
----------------

More information about the TriLUG mailing list