ACLs and Stuff...

Hi all...

I'm really new (yeah... you guessed right...) to the Squid and Linux
world in the whole... and coming from a Mac world... I can say this
is a real difficult step I took... (altho now with LinuxPPC and MacOS
X in the way... things are getting better for the PPC Platform).

I do have a lot of help from a friend on setting up a Linux box on a
Pentium III/450, 128MB Ram, and he already has done a lot on
installing and compiling and stuff... but we're stuck on successfully
running Squid 2.2 STABLE5 on it. It's a 2.0.36 linux (RedHat) and we
already run firewall on it... so this makes some things even harder.

Anyway... since we're going to find anything that could be wrong in
the firewall... I'll keep this list spam-free and only ask some squid
specific questions:

1. The firewall uses 2 eth cards (Yeah how strange), but I was
wondering if the inside-of-firewall clients should contact the Proxy
in the inside-IP to serve their requests or the outside-IP. Both
worked with version 1.1 of Squid that got to run ok after a fresh
compile and without modifications on the default conf file... but I'm
unsure what the "right" thing is...

2. This squid is meant to server around 10-20 users in our company's
LAN (no more than 3-4 at a time tho) but not all clients are equal...
so I thought I'll apply a simple rule...

2.1 Giving "super-users" true IP from the inside-of-firewall subnet
(195.99.19.20 255.255.255.224 for example), and "normal-users" a fake
IP like 192.168.1.20 255.255.255.0... (does this need IP Masquerading
too? We only set a second "gateway address" to 192.168.1.1 on the
interface)

2.2 "Super users" should get all URLs unrestricted... and "Normal
users" should get all URLs except those matching some strings I'll
type in... like sex playboy etc... (I think it's a lot easier to
prevent access to these sites by keyword than to predict all
domains... :)) ).

2.3 A possible "extension" of the 2.2 rule... would be if "normal
users" could get all sites unrestricted but only after 17:00 or so...
but that's entirely optional... if it messes things up too much...
I'll better leave it.

3. Our internet provider runs a squid cache too... can I somehow
"take advantage" of his cached documents but ONLY if they have it
already cached... I mean I don't want to download everything from his
squid... just the cached objects... I know this has to do with the
sibling/parent/child thing... but it really isn't clear to me what
does what and what of the squid.conf option should be open to
actually "get the job done".

4. (And last ... I promise) I truly am silly enough to believe that
all the above will be answered... so I also would like to ask what
the ideal squid.conf memory/disk ratio would be... I have up to 6GB
of disk for cached objects to spare... and what I already have in is
30MB ram and 4GB for cached objects... how does it sound?

THANKS A MILLION TIMES TO ANYONE THAT HAS REACHED THIS LINE (Reading...) :)

And my really Linux-loving hugs to anyone that will answer this... or
help in any way!!!

Andreas Skilitsis
Soon-To-Be Linux-Lover
MacOS Networks Admin (for now)

___
Andreas Skilitsis
macstar@avalon.gr

___
- How many Microsoft engineers does it take to screw in a lightbulb?
- None. They just redefine darkness as the standard.
___
Received on Wed Dec 08 1999 - 14:58:34 MST