This section deals with the configuration of the "Squid Access Control Lists" (ACL) which control Squid traffic and manage both the access to Squid and away from Squid. Conceptually, ACL operate similarly to the firewall, as they will determine what access permissions any member of the network will have inside the proxy.
Be aware that the ACLs rules do not necessarily follow the firewall rules of the network traffic. For example, if you set the firewall to deny access to the green network and you have not configured Squid with a similar restriction (see below for how to do that), inside the cache a machine in the blue IP space will have access to the green zone.
The Web User Interface (WUI) controls the configuration of a subset of the most common ACL directives, as described in the next few paragraphs. After configuring, saving and reloading, the WUI will change the Squid configuration located here:
These are the directives specific to IPFire which build the main component of the ACL, and they include also a few others not listed in the IPFire WUI: acl IPFire_ips, IPFire_networks, IPFire_servers, IPFire_green_network, IPFire_green_servers, IPFire_blue_network, IPFire_blue_servers, IPFire_banned_ips, IPFire_unrestricted_ips - for each src and dst - IPFire_banned_mac, IPFire_unrestricted_mac - for each arp. You can easily figure out what these elements represents by inspecting the acl section of squid.conf.
In the following paragraphs you will find what you can configure with the WUI (see the image below).
In here, at least the subnets of the active zones (no DMZ ) should be findable. The entry of a subnetwork under this option allows general access to the Web-proxy. If for example, remote/local VPN networks or locally connected networks that are neither in green nor defined in blue should be connected to the proxy, you just can enter the subnet with the subnet mask (in CIDR notation) in here.
If the proxy is activated and used for both zones (blue and green), the blue zone is allowed to reach the green network via http or https, regardless of the settings of the firewall (see the default IPFires circuit --> Network topologies and access methods). If the green zone must be isolated also inside the proxy, the checkbox shown in the figure needs to be set.
Similarly to the previous checkbox, if the proxy is activated and used for both zones (blue and green), and you want to deny the blue network any access outside the blue space, the corresponding checkbox needs to be set. However, a direct access to IPFire is still granted. If you want to deny it, you have to do a manual customization and modify /var/ipfire/proxy/advanced/acls/include.acl.
All IP addresses that are entered here will be completely blocked by the proxy.
All MAC addresses that are entered here will be completely blocked by the proxy.