[squid-users] Use arp and time acls to control access

[Matus UHLAR - fantomas]

On 10.05.16 12:53, TarotApprentice wrote:
>I'm trying to restrict internet access of certain devices to certain times of the day. My config looks like:
>acl devicename1 arp aa:bb:cc:dd:ee:ffacl devicename2 arp aa:bb:cc:ff:ee:ddacl usertime time MTWHF 06:30-08:00acl usertime time MTWHF 18:00-22:30

I see yahoo converts html to plaintext very badly - joins lines by
converting line breaks to no whte space at all (gmail does similar stuff too)

>http_access allow devicename1 usertimehttp_access allow devicename2 usertimehttp_access deny devicename

... (use real mail client instead of yahoo's if possible)

>I'm using squid 3.5.17 (the latest in Debian Stretch). The client devices are using the proxy in explicit mode.
>devicename1 and devicename2 currently are getting dynamic IP's but I can set the router up to give a static IPv4 address and use that instead of the mac address.
>>From reading the docs it seems arp (the mac address) isn't available if they use IPv6.

Incorrect. mac address can't be used behind router, because it's only
visible on local network. Behing router, you only see IP Address, but mac
address already belongs to the router (that's the point of routing)

> Also if they're using an https site it isn't going to work unless I start
> peeking. 

without peeking, you only see where the connection goes to, not the URL
since it's encrypted in the data stream.

> Is there a better way of restricting the access to the allowed
> times for both http and https traffic?

no, in order to log more about HTTPS connections, you must effectively be
the attacker who does MITM.
-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...