On Thu, 19 Aug 2004, Merton Campbell Crockett wrote:
Perhaps it would be clearer and simpler to write this as two access rules.
http_access deny !KIOSK.dstdomain http_access allow KIOSK
No, this won't work either as this restricts all users to the KIOSK.dstdomain destinations, not only the KIOSK users.
At the end of each rule set there is an implicit deny all. This may not be entirely accurate. I recall Duane Wessels mentioning somewhere that the implied last rule is the inverse of the last explicit rule. Based on the above example, the implicit rule would be the following.
http_access deny !KIOSK
It is strongly recommended to always have an explicit "http_access deny all" at the end.
Relying on the implicit inverse rule when there is no matching rule can be confusing.
Regards Henrik
