This section deals with the configuration of the "Squid Access Control Lists" (ACL) which control Squid traffic and manage both the access to Squid and away from Squid. Conceptually, ACL operate similarly to the firewall, as they will determine what access permissions any member of the network will have inside the proxy.
Be aware that the ACLs rules do not necessarily follow the firewall rules of the network traffic. For example, if you set the firewall to deny access to the green network and you have not configured Squid with a similar restriction (see below for how to do that), inside the cache a machine in the blue IP space will have access to the green zone.
The Web User Interface (WUI) controls the configuration of a subset of the most common ACL directives, as described in the next few paragraphs. After configuring, saving and reloading, the WUI will change the Squid configuration located here:
These are the directives specific to IPFire which build the main component of the ACL, and they include also a few others not listed in the IPFire WUI: acl IPFire_ips, IPFire_networks, IPFire_servers, IPFire_green_network, IPFire_green_servers, IPFire_blue_network, IPFire_blue_servers, IPFire_banned_ips, IPFire_unrestricted_ips - for each src and dst - IPFire_banned_mac, IPFire_unrestricted_mac - for each arp. You can easily figure out what these elements represents by inspecting the acl section of squid.conf.
In the following paragraphs you will find what you can configure with the WUI (see the image below).
Allowed subnets (one per line):
In here, at least the subnets of the active zones (no DMZ ) should be findable. The entry of a subnetwork under this option allows general access to the Web-proxy. If for example, remote/local VPN networks or locally connected networks that are neither in green nor defined in blue should be connected to the proxy, you just can enter the subnet with the subnet mask (in CIDR notation) in here.
Disable internal proxy access to Green from other subnets:
If the proxy is activated and used for both zones (blue and green), the blue zone is allowed to reach the green network via http or https, regardless of the settings of the firewall (see the default IPFires circuit --> Network topologies and access methods). If the green zone must be isolated also inside the proxy, the checkbox shown in the figure needs to be set.
Disable internal proxy access from Blue to other subnets:
Similarly to the previous checkbox, if the proxy is activated and used for both zones (blue and green), and you want to deny the blue network any access outside the blue space, the corresponding checkbox needs to be set. However, a direct access to IPFire is still granted. If you want to deny it, you have to do a manual customization and modify /var/ipfire/proxy/advanced/acls/include.acl.
Unrestricted IP addresses (one per line):
All IP addresses which are listed in here have no restrictions by the following regulation areas of: Time restrictions, Transfer limits, or the MIME-type filter.
Unrestricted MAC addresses (one per line):
All MAC addresses which are listed in here have no restrictions by the following regulation areas of: Time restrictions, Transfer limits, or the MIME-type filter.
Banned IP addresses (one per line):
All IP addresses that are entered here will be completely blocked by the proxy.
Banned MAC addresses (one per line):
All MAC addresses that are entered here will be completely blocked by the proxy.
Unrestricted IP / MAC addresses (one per line):
IP or MAC addresses which are neither entered in the unrestricted section nor in the banned one, are restricted by the: Time restrictions, Transfer limits or/and the MIME-type filter.