Andrew Hudson - Fedora™ Unleashed, 2008 edition

# include three specific IP addresses

acl directors src 10.0.0.14 10.0.0.28 10.0.0.31

# include all IPs from 192.168.0.0 to 192.168.0.255

acl internal src 192.168.0.0/24

# include all IPs from 192.168.0.0 to 192.168.0.255

# and all IPs from 10.0.0.0 to 10.255.255.255

acl internal src 192.168.0.0/24 10.0.0.0/8

When you have your ACL lines in place, you can put together appropriate http_accesslines. For example, you might want to use a multilayered access system so that certain users (for example, company directors) have full access, whereas others are filtered. For example:

http_access allow directors

http_access deny hotmail

http_access deny zipfiles

http_access allow internal lunchtimes

http_access deny all

Because Squid matches those lines in order, directors will have full, unfiltered access to the web. If the client IP address is not in the directorslist, the two denylines are processed so that the user cannot download .zipfiles or read online mail at Hotmail. After blocking those two types of requests, the allowon the fourth line allows internal users to access the web, as long as they do so only at lunch time. The last line (which is highly recommended) blocks all other users from the proxy.

► http://www.squid-cache.org/— The home page of the Squid Web Proxy Cache.

► http://www.deckle.co.za/squid-users-guide/Main_Page— The home page of Squid: A User's Guide , a free online book about Squid.

► http://www.faqs.org/docs/securing/netproxy-squid.html— A brief online guide to configuring a local Squid server.

► http://squid.visolve.com/squid/index.htm/— The home page of a company that can provide commercial support and deployment of Squid.

► http://squid.visolve.com/squid/reverseproxy.htm— ViSolve's guide to setting up Squid to reverse proxy to cache a local web server for external visitors.

As well as these URLs, there are two excellent books on the topic of web caching. The first is Squid: The Definitive Guide (O'Reilly) by Duane Wessels, ISBN: 0-596-00162-2. The second is Web Caching (O'Reilly) also by Duane Wessels, ISBN: 1-56592-536-X.

Of the two, the former is more practical and covers the Squid server in depth. The latter is more theoretical, discussing how caching is implemented. Wessels is one of the leading developers on Squid, so both books are of impeccable technical accuracy.

Computers on a network need to be useful, which means you need to be able to identify each computer so that you can connect to and communicate with it. Most of today's networks use the Internet Protocol (IP) , so each computer on this network has a unique IP address to identify it.

An IP address is a very large 32-bit number, but there is a shortcut method of displaying that number called the dotted-quad address . The dotted-quad form of the address is made of four 8-bit numbers separated by dots. For example, a computer with the address 3232250992 has the dotted- quad form 192.168.60.112. It's easier to use and remember the dotted-quad form of an IP address, but even then remembering a lot of numbers becomes quite difficult. The domain name system (DNS) enables you to allocate hostnames that are much easier to remember to these IP addresses. These names, such as fedoraproject.org, are translated by DNS into the dotted-quad IP address, saving time — and memory!

This translation process is called name resolution and is performed by software known as a resolver . For the average user, local configuration involves the DNS client, which queries a remote DNS server to exchange information. The DNS servers are typically maintained by Internet service providers (ISPs) and large corporate networks, although anyone can configure and run his own DNS server. All computers on networks need to have a properly configured DNS client.

This chapter introduces DNS concepts and practice using Berkeley Internet Name Domain (BIND) , the de facto standard DNS software for UNIX. In this chapter, you learn some of the concepts that are basic to DNS and its functions, including how DNS structure information is stored, how DNS serves name information to users, and how name resolution actually works. You learn how to use BIND to configure nameservers and how to provide DNS for a domain. This chapter also teaches you some important techniques for keeping DNS functions secure, as well as some of the most important troubleshooting techniques for tracking down potential problems related to your DNS functions.

If you are not going to be a DNS administrator, much of the information in this chapter will be of no practical use to you. That said, the knowledge of DNS that you can gain in this chapter might help you understand DNS problems that occur — so you will realize that it is not your computer that is broken! You will also see how, after you register a domain name, you can obtain third-party DNS service so that you do not have to main tain a DNS server. Also, the commonly used DNS-related tools are explained with a focus on how they can be used to troubleshoot domain name resolution problems that you're likely to encounter.

DNS is essential for many types of network operations, and especially so when your network provides connectivity to the outside world via the Internet. DNS was designed to make the assignment and translation of hostnames fast and reliable and to provide a consistent, portable namespace for network resources. Its database is maintained in a distributed fashion to accommodate its size and the need for frequent updates. Performance and bandwidth utilization are improved by the extensive use of local caches. Authority over portions of the database is delegated to people who are able and willing to maintain the database in a timely manner, so updates are no longer constrained by the schedules of a central authority.

DNS is a simple — but easily misconfigured — system. Hostname resolution errors might manifest themselves in ways that are far from obvious, long after the changes that caused the errors were made. Such naming errors can lead to unacceptable and embarrassing service disruptions.

An understanding of the concepts and processes involved in working with BIND will help to make sure that your experiences as a DNS manager are pleasant ones.

Later in the chapter, we focus on setup and configuration to provide DNS. This section briefly examines the setup and configuration required for a computer to use DNS services. The important user setup and configuration processes for DNS are likely to have been accomplished during the initial installation of Fedora. After the initial installation, further DNS configuration can be accomplished by one or more of these methods:

► Using Dynamic Host Control Protocol (DHCP) , in which case some system settings are updated by the dhclientcommand without intervention by a local or remote administrator or user

► Using the system-config-networkGUI configuration tool

► Manually editing the system's /etc/host.confconfiguration file to specify the methods and order of name resolution

► Manually editing the system's /etc/nsswitch.confconfiguration file to specify the methods and order of name resolution

► Manually editing the system's /etc/hostsfile, which lists specific hostnames and IP addresses