Using Linux with Squid and IPFWADM

Michael Tibor tibor at lib.uaa.alaska.edu
Mon Nov 30 14:59:31 EST 1998 

On Mon, 30 Nov 1998 Josh Kuperman <sar_kuper at sals.edu> wrote:

> I am curious if anyone has done any of the following:
> 
> 1. Installed Squid as a proxy server for Linux to 
>    block sites that provide:
>    a. chat
>    b. mail
>    c. gaming

Not those specifically, but we're blocking access to one site for all
our public machines except for one to comply with a license agreement. 
The configuration details are the same as for what you want to do. 

>    from some machines and not others. I have managed
>    to install Squid in testing mode, but I'm a little
>    at sea about the configuration file.

The following should do what you want, although I'm sure you'll want
to expand on it a bit:

# This line defines which machines are allowed open access
# Format is "acl <aclname> <src or dst> ip1 ip2 ip3 ..."
# In this case I've listed sallib.sals.edu as having open access
acl openaccess src 198.175.242.1

# This line defines which sites to block
acl blockedsites dstdomain hotmail.com rocketmail.com

# This line does the same thing as the above line, but
# prevents people from typing in the ip address in the
# browser to bypass your filter
acl blockedsitesip dst 207.82.252.251 205.180.57.0/24

# The following two lines actually do the work
http_access deny blockedsites !openaccess
http_access deny blockedsitesip !openaccess


Browse through the squid.conf file (it's pretty well commented) or see
the following sites for more details:
http://cache.is.co.za/squid/
http://squid.nlanr.net/Squid/FAQ/FAQ.html


> 2. Allow different services from different machines.
>    For example allow only ports 23 and 80 to be used
>    for connections on some and only port 80 on others. 

You'll have to set this up at the router.  If the Linux box is the
router then you can do this: 
	
/sbin/ipfwadm -I -a accept -p tcp -s 198.175.242.1 -d 0.0.0.0/0 23
/sbin/ipfwadm -I -a reject -p tcp -s 198.175.242.0/24 -d 0.0.0.0/0 23

The first line checks to see if the machine is sallib.sals.edu (our
arbitrarily picked open access machine as mentioned above) and allows
telnet access to the outside world.

The second line denies telnet access from everything else on that
subnet to the outside world.

Do a "man ipfwadm" for more details here.

> 3. Found a reliable way to keep track of what sites
>    offer interactive services as in 1 above.

Not really. :-)   That's the problem with blocking access to stuff,
you constantly have to keep on top of what you want to block access
to.

Mike
-- 
Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
LAN Technician     Consortium Library             (907) 786-6050 fax
tibor at lib.uaa.alaska.edu       http://www.lib.uaa.alaska.edu/~tibor/
http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key

More information about the Web4lib mailing list