[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: IPCHAINS Implementation

To: Ambar Roy <ambarroy@xxxxxxxxx>
Subject: Re: IPCHAINS Implementation
From: George Joseph T <shibu@xxxxxxx>
Date: Mon, 22 Jan 2001 16:48:38 +0530 (IST)
Cc: linux-delhi@xxxxxxxxxxxxxxxxxxxxx
In-reply-to: <018401c08463$1b9c7100$8900000a@aclindia.com>

Dear Amber,

Thanks for writing back.  I have got the concept very clear now and for
others here are some clear cut examples that I had come across in
squid.conf

acl blockedsites url_regex "/etc/squid/block.txt" 
acl unblockedsites url_regex "/etc/squid/unblock.txt" 
http_access deny blockedsites 
http_access allow unblockedsites all 

in /etc/squid/block.txt give one site per line and same as in the
unblock.txt file

acl workinghours time M-F 8:00-18:00 
# defining the working hours 

acl sexsitez url_regex //[^/]*sex 
# any url which has "sex" in the host part 

acl eviluser user abcde
# block employee who is always surfing instead of work... 

# don't forget to set ident_lookup on earlier in the config file 
acl blockedsitez src 207.68.0.0/255.255.0.0 
acl myfriend src 207.68.222.222/255.255.255.255 

# there is a range of sites which is blocked from the cache, 
# but in this range we have a friend, who is not 

To build up the rules. 

http_access deny sexsitez workinghours 
#sex sites in working hours 

http_access deny blockedsitez !myfriend 
#the blocked range of sites. Only exception is our friend 


This should make things more clear.  Rest do R&D yourself.

With Regards

George Joseph T

-----------------------------------------------------------
On Mon, 22 Jan 2001, Ambar Roy wrote:

> Hi George,
>     Basically you setup one acl for every site/destination set that you
> might like to block, then you have to block each of those acls in seperate
> http_deny lines (If i remember correctly). Right now i don't use squid over
> here, and i deleted the old conf files, but basically it was something like
> this:
> 
> acl <acl name and definationm here>
> http_deny <aclname>
> 
> I used this mainly to block ad servers, and it was quite effective.
> for the syntax of the acl statement, see the squid.conf file for samples..
> 
> Bye,
>     /\ |\/| |3 /\ r
> 
> > One more query.  In squid.conf file which parameter is used to block
> > unwanted sites.  Do we need to create seperate ACL's (Access Control List)
> > for each site ??  Please put some light on this and if possible give some
> > examples too.
> > > also note that in case you just wan't to block web access, then it is
> better
> > > to set up transparent proxying with squid, and then letting squid do the
> > > filtering. With squid you can set up simple rules for access blocking,
> with
> > > ipchains, it is really difficult to block anything effectively. ipchains
> is
> > > better suited for protecting your internal network, and disallowing
> access
> > > to ppl from the internal network. Lets say you wan't to block all yahoo
> > > sites. With squid, you just set up a rule for destination domain
> yahoo.com,
> > > and then block it. with ipchains, you will surely go mad (yahoo seems to
> > > have hundreds of ip addresses!!!!) My experience has been real good with
> > > squid. (especially for things like banner ads, which choke up my net
> > > connections, squid works real nice.. just disable doubleclick.net,
> > > imgis.com, flycast.com, ads.*, ad.*, /banner/*, /adserve* and you will
> see
> > > that all the users are really happy...)
> > >
> > > Bye,
> > >     /\ |\/| |3 /\ r
> > > > The best option to achieve this without any major configuration
> changes is
> > > > the implementation of ipchains.
> > > >
> > > > I have a very simple but good article on ipchains attached with this
> mail.
> > > > Which will be enough for you to configure what you require.
> > > > > Dear All,
> > > > >
> > > > > We are using LINUX server for last 7 months and with greate
> > > > > results in Deepalaya. The process of communication and
> > > > > documentation has become very effective for all Deepalaya
> > > > > units all over Delhi. Now we are facing a problem. We have
> > > > > to set up firewall at the minimum level. Like we want to
> > > > > block some sites. Can anyone tell us how to do it. Please
> > > > > tell us the easyest way so that we...with our moderate
> > > > > knowledge on Linux can do it. We know that firewall can be
> > > > > established at various levels. But we want to only block
> > > > > some sites.
> > >
> > >
> > >
> > > ------------------------------------------------
> > > The mailing list archives are available at
> > > http://lists.linux-india.org/cgi-bin/wilma/linux-delhi
> > >
> >
> >
>

Prev by Subject: Re: IPCHAINS Implementation
Next by Subject: Re: IPCHAINS Implementation
Previous by thread: Re: Re: Static IP
Next by thread: Re: securing linux single
Index(es):
- Subject
- Thread