[squid-users] IPv6 and syntax?

[Walter H.]

On 16.05.2015 10:13, Amos Jeffries wrote:
> On 16/05/2015 6:22 p.m., Walter H. wrote:
>> On 16.05.2015 01:41, Amos Jeffries wrote:
>>> On 16/05/2015 6:14 a.m., Walter H. wrote:
>>>> Hello,
>>>>
>>>> is IPv6 somewhat similar to IPv4?
>>> Somewhat, yes.
>> I just wondered because of the "different" behaviour;
>>>> e.g.
>>>>
>>>> I would write
>>>>
>>>> acl block_ipv4_range dst  84.84.84.0/24
>>>> deny_info errorpage block_ipv4_range
>>>> http_access deny block_ipv4_range
>>>>
>>>> to block any hosts within this IPv4 range
>>> Taking a step asside, that is not quite what those rules do. They block
>>> access from anywhere *to* the IP address range (TCP/IP packet
>>> destination on the request messages).
>>>
>> yes this should be the intention, that you get an error (in this case
>> the errorpage) when
>> you have e.g.  http://84.84.84.2/ or https://84.84.84.2/ as URL in your
>> browser ...
> It will block that, and any domain name which resolves to those IPs.
>
yes, that is the intention;

I would have done it this way:

acl block_whole_network dst_as 4837
deny_info errorpage block_whole_network
http_access deny block_whole_network

but this crashes squid ...

as workaround I've got a file listing any range for one AS number
and doing this:

acl block_as4837 dst "block-as4837-acl.squid"

and one of these files has more than 600(!) entries ...

>> does it seem to be problematic, when having an TLS-server with an IPv6
>> address only without DNS, because of the comm name?
> That is a different issue entirely.
yes and hoping no browser ever will accept a common name of just '*'
> Going by that description it seems Firefox and Chrome are a bit broken.
IE, too;

Walter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5971 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150516/7ee554f7/attachment-0001.bin>