RE: [squid-users] HELP: timed based ACLs to control access to AOL instant messenger

From: Mark A Lewis <mark@dont-contact.us>
Date: Sun, 16 Mar 2003 22:32:53 -0600

I may be off here, but here is what I see.

It looks like it is using CONNECT via 443 and since there are no further
requests it doesn't drop the exsisting connection. Perhaps if you deny
CONNECT to the AIM/Yahoo dstdomain group and force it to use GETs
instead.

Unfortunately I don't know enough about how AIM/Yahoo work to know if
this will break them.

Perhaps restarting squid via cron when the time comes for the
restrictions go into place.

-----Original Message-----
From: Jeff McWilliams [mailto:Jeff.McWilliams@clanmcwilliams.org]
Sent: Sunday, March 16, 2003 9:57 PM
To: squid-users@squid-cache.org
Subject: [squid-users] HELP: timed based ACLs to control access to AOL
instant messenger

Hi,

I have a 13 year old daughter who's a social butterfly, and tends to
spend a lot
of time chatting with her friends via AOL instant messenger, often to
the
exclusion of other, more important things.

What I've been trying to do is enforce our limited-time chatting policy
with
networking tools like squid.

I have a Linux based firewall between my home LAN and the cablemodem,
with
default DENY policies. http and https traffic is only passed if it comes
from
the proxy server.

All the browsers on the home LAN are configured to use the http/https
proxy
server. Without it, they can't reach the internet. AOL instant messenger
client apps are also configured to use the https proxy server to reach
the
internet.

My squid.conf looks like this:
(just showing the ACL lists)
------------------------

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl home src 192.168.1.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl JeffDesktop srcdomain c975955-a.home.int
acl HeatherLaptop srcdomain hlaptop.home.int
acl HeatherDesktop srcdomain kitty.home.int
acl AIM dstdomain login.oscar.aol.com www.aim.com
aimexpress.oscar.aol.com
.msg.yahoo.com .yimg.com
acl weeknights time MTWH
acl sunday time S 21:00-23:59
acl friday time F 00:00-16:00
acl purge method PURGE
acl CONNECT method CONNECT

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#
http_access deny JeffDesktop AIM weeknights
http_access deny JeffDesktop AIM sunday
http_access deny JeffDesktop AIM friday
http_access deny HeatherLaptop AIM weeknights
http_access deny HeatherLaptop AIM sunday
http_access deny HeatherLaptop AIM friday
http_access deny HeatherDesktop AIM weeknights
http_access deny HeatherDesktop AIM sunday
http_access deny HeatherDesktop AIM friday
http_access allow home
http_access allow localhost
http_access deny all

-----------------------------------------------
Yes, I know my restrictions are somewhat IP Address specific.
My daughter isn't smart enough to override the DHCP assigned IP address
on her
PC. DHCPd is configured to give IP addresses based on MAC address, so
her
desktop and her P75 laptop always get the same IP Address.

If an AOL IM connection is attempted, say, during a weekday, squid
denies it
like it should. The access log shows something such as:

1047872990.743 18 192.168.1.41 TCP_DENIED/403 1007 CONNECT
login.oscar.aol.com:443 - NONE/- -

Where I'm having trouble is when the clock rolls over from an allowed
chat time,
to a non-allowed chat time. It seems that once AOL Instant Messenger
makes a
successful connection, it can retain that connection forever. If I
disconnect
AOL IM, and try to reconnect, then it will fail, but as long as the
client
connected before time "expired", it can continue to operate after time
has expired.

The access.log doesn't show continual traffic when AOL IM is in use, it
shows
something like this:

1047873431.799 196 127.0.0.1 TCP_MISS/200 507 CONNECT
login.oscar.aol.com:443
- DIRECT/64.12.161.153 -
1047873432.635 136 127.0.0.1 TCP_MISS/200 49 CONNECT 64.12.201.36:443 -
DIRECT/64.12.201.36 -

followed by little other traffic (except banner ad stuff).

Are these persistent connections that are being made? I tried adding:

client_persistent_connections off
server_persistent_connections off

to squid.conf without any effect.
I'm using Squid 2.4.STABLE1

Any suggestions? Should I be looking for some other tool or am I missing
some
other configuration parameter that would help me here? I'm more than
willing to
grab the latest distribution and compile if there is something in it
that would
help me.

Many thanks,

Jeff McWilliams

-------------------------------------------------------------------
Jeff McWilliams - Jeff.McWilliams@clanmcwilliams.org
"The minstrel boy, to the war has gone
 In the ranks of death you will find him." .. Thomas Moore

**********************************************************
This message was virus scanned at siliconjunkie.net and
any known viruses were removed. For a current virus list
see http://www.siliconjunkie.net/antivirus/list.html
Received on Sun Mar 16 2003 - 21:32:08 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:05 MST