I Have An Acl That Doesn't Work :(

[infinite_root]

Hi,

I am using SQUID-2.5-Stable5-1 and having a requirement to deny some my client from accessing the net.

Despite having all this rules set; banned clients still manage to use the internet.

Code:

acl localnet src 192.168.0.39
acl localnet src 192.168.0.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535 280 488 591 777
acl CONNECT method CONNECT
acl PURGE method PURGE
acl special_client src 192.168.0.34, 192.168.0.24, 192.168.0.13
acl special_url url_regex ^http://evisaforms.state.gov/$
acl spammers url_regex "/etc/squid/sa-blacklist.current.domains"
acl badURL urlpath_regex -i \.zip$\.exe$\.scr$\.pif$\.com$\.bat$\.vbs$\.msi$\.dl$\.mid$\.midi$\.mpga$\
.mp2R\.mp3$\.fli$\.gl$\.mpe$\.mpeg$\.mpg$\.qt$\.mov$\.avi$\.movie$\.wav$\
.au$\.asf$\.af$\.asx$\.wax$\.m3u$\.wpl$\.wvx$\.wmx$\.rmi$\.m1v$\.snd$\.aif$\
.aiff$\.rmx$\.rmj$\.rms$\.mnd$\.mns$\.lqt$\.ram$\.$audio\.mpa$\.qt$\.lqt$\.ez$\
.hqx$\.cpt$\.dot$\.wrd$\.bin$\.dms$\.lha$\.lzh$\.ace$\.rar$\r00$\.r01$\.wp5$\.wk$\
.wz$\.vcd$\.bz2$\.deb$\.dvi$\.asx$\.kar$

acl denyURL url_regex -i "/etc/squid/denyURL.acl"
acl all src 0.0.0.0/0.0.0.0

# Filters!
#acl AllowURL url_regex "/etc/squid/AllowURL.acl"
#http_access allow AllowURL

http_access deny localnet
http_access deny badURL
http_access allow special_client special_url
http_access allow authenticated
http_access allow localnet
http_access allow localhost
http_access allow PURGE localhost
http_access deny special_url
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny CONNECT
http_access deny PURGE
http_access deny all spammers
http_access deny all

Here's cache.log shows:

2004/09/01 10:54:53| The reply for GET http://us.a1.yimg.com/us.yimg.com/a/...lexus_logo.gif is ALLOWED, because it matched 'all'
2004/09/01 10:54:53| The reply for GET http://img-cdn.mediaplex.com/ads/139...ner_728x90.gif is ALLOWED, because it matched 'all'
2004/09/01 10:54:53| The request GET http://adfarm.mediaplex.com/ad/tr/13...94007416670723 is ALLOWED, because it matched 'localnet'
2004/09/01 10:54:53| The reply for GET http://adfarm.mediaplex.com/ad/tr/13...94007416670723 is ALLOWED, because it matched 'all'

I case you have any comments or suggestions on why this configuration doesn't work despite being arranged as suggested, your comments and ideas shall be greatly appreciated.

Regards,
--david

[infinite_root]

Does my ACL sequence appropriate?

I am already stuck for more than a week now. Can't find answers to my problem.

Any comments or suggestion would be appreciated.?

TIA