[WEB4LIB] Re: Using Linux with Squid and IPFWADM

Josh Kuperman sar_kuper at sals.edu
Fri Dec 18 16:34:03 EST 1998 

Mike,

I have a ways to go to get all of the ipfwadm working as I want it, but
with your suggestion configuring Squid was a snap.

This works even more easily than your suggestion. I installed squid.novm
when I installed RedHat Linux 5.2. There is an option that lets you select
any URL matching a regular expression. So instead of your suggestion below
I was able to just do the following.

# create an acl (access control list) called mail and 
# match every url with the word mail
acl mail url_regex mail
# deny access to every destination on the list
# of course it doesn't really check the URL to see until the 
# request is made to go to a URL.
http_access deny mail


Then I configured Netscape to use my proxy server and all the mail sites I
know of, www.hotmail.com, mail.yahoo.com, etc. were blocked. Of course
there are probably some sites that offer mail but don't have the word
'mail' in there URL. And there are probly tons of URLs containing the word
'mail' that aren't e-mail offering sites. But this certainly works fairly
easily.

At 12:06 PM 11/30/98 -0800, Michael Tibor wrote:
>On Mon, 30 Nov 1998 Josh Kuperman <sar_kuper at sals.edu> wrote:
>
>> I am curious if anyone has done any of the following:
>> 
>> 1. Installed Squid as a proxy server for Linux to 
>>    block sites that provide:
>>    a. chat
>>    b. mail
>>    c. gaming
>
>Not those specifically, but we're blocking access to one site for all
>our public machines except for one to comply with a license agreement. 
>The configuration details are the same as for what you want to do. 
>
>>    from some machines and not others. I have managed
>>    to install Squid in testing mode, but I'm a little
>>    at sea about the configuration file.
>
>The following should do what you want, although I'm sure you'll want
>to expand on it a bit:
>
># This line defines which machines are allowed open access
># Format is "acl <aclname> <src or dst> ip1 ip2 ip3 ..."
># In this case I've listed sallib.sals.edu as having open access
>acl openaccess src 198.175.242.1
>
># This line defines which sites to block
>acl blockedsites dstdomain hotmail.com rocketmail.com
>
># This line does the same thing as the above line, but
># prevents people from typing in the ip address in the
># browser to bypass your filter
>acl blockedsitesip dst 207.82.252.251 205.180.57.0/24

As far as I can tell the version I'm using will not let someone get around
a domain by using a numeric IP.

>
># The following two lines actually do the work
>http_access deny blockedsites !openaccess
>http_access deny blockedsitesip !openaccess
>
>
>Browse through the squid.conf file (it's pretty well commented) or see
>the following sites for more details:
>http://cache.is.co.za/squid/
>http://squid.nlanr.net/Squid/FAQ/FAQ.html


--
Josh Kuperman        Saratoga Springs Public Library
sar_kuper at sals.edu   49 Henry St  
518.584.7860x211     Saratoga Springs, NY 12866
http://www.library.saratoga.ny.us

More information about the Web4lib mailing list