Hi,
I have a 13 year old daughter who's a social butterfly, and tends to spend a lot
of time chatting with her friends via AOL instant messenger, often to the
exclusion of other, more important things.
What I've been trying to do is enforce our limited-time chatting policy with
networking tools like squid.
I have a Linux based firewall between my home LAN and the cablemodem, with
default DENY policies. http and https traffic is only passed if it comes from
the proxy server.
All the browsers on the home LAN are configured to use the http/https proxy
server. Without it, they can't reach the internet. AOL instant messenger
client apps are also configured to use the https proxy server to reach the
internet.
My squid.conf looks like this:
(just showing the ACL lists)
------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl home src 192.168.1.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl JeffDesktop srcdomain c975955-a.home.int
acl HeatherLaptop srcdomain hlaptop.home.int
acl HeatherDesktop srcdomain kitty.home.int
acl AIM dstdomain login.oscar.aol.com www.aim.com aimexpress.oscar.aol.com
.msg.yahoo.com .yimg.com
acl weeknights time MTWH
acl sunday time S 21:00-23:59
acl friday time F 00:00-16:00
acl purge method PURGE
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#
http_access deny JeffDesktop AIM weeknights
http_access deny JeffDesktop AIM sunday
http_access deny JeffDesktop AIM friday
http_access deny HeatherLaptop AIM weeknights
http_access deny HeatherLaptop AIM sunday
http_access deny HeatherLaptop AIM friday
http_access deny HeatherDesktop AIM weeknights
http_access deny HeatherDesktop AIM sunday
http_access deny HeatherDesktop AIM friday
http_access allow home
http_access allow localhost
http_access deny all
-----------------------------------------------
Yes, I know my restrictions are somewhat IP Address specific.
My daughter isn't smart enough to override the DHCP assigned IP address on her
PC. DHCPd is configured to give IP addresses based on MAC address, so her
desktop and her P75 laptop always get the same IP Address.
If an AOL IM connection is attempted, say, during a weekday, squid denies it
like it should. The access log shows something such as:
1047872990.743 18 192.168.1.41 TCP_DENIED/403 1007 CONNECT
login.oscar.aol.com:443 - NONE/- -
Where I'm having trouble is when the clock rolls over from an allowed chat time,
to a non-allowed chat time. It seems that once AOL Instant Messenger makes a
successful connection, it can retain that connection forever. If I disconnect
AOL IM, and try to reconnect, then it will fail, but as long as the client
connected before time "expired", it can continue to operate after time
has expired.
The access.log doesn't show continual traffic when AOL IM is in use, it shows
something like this:
1047873431.799 196 127.0.0.1 TCP_MISS/200 507 CONNECT login.oscar.aol.com:443
- DIRECT/64.12.161.153 -
1047873432.635 136 127.0.0.1 TCP_MISS/200 49 CONNECT 64.12.201.36:443 -
DIRECT/64.12.201.36 -
followed by little other traffic (except banner ad stuff).
Are these persistent connections that are being made? I tried adding:
client_persistent_connections off
server_persistent_connections off
to squid.conf without any effect.
I'm using Squid 2.4.STABLE1
Any suggestions? Should I be looking for some other tool or am I missing some
other configuration parameter that would help me here? I'm more than willing to
grab the latest distribution and compile if there is something in it that would
help me.
Many thanks,
Jeff McWilliams
-------------------------------------------------------------------
Jeff McWilliams - Jeff.McWilliams@clanmcwilliams.org
"The minstrel boy, to the war has gone
In the ranks of death you will find him." .. Thomas Moore
Received on Sun Mar 16 2003 - 20:57:19 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:05 MST