Overview

File squid_ie_blocker.txt of Package squid

****** Using Squid to block Internet Explorer ******

After one of the many, many, many security holes in Microsoft Internet
Explorer, my company decided to completely block outgoing requests for IE (at
least, until a patch is published by MS). For this purpose, we changed our
proxy setup to be transparent and block the browser based on its user-agent
string.

As an alternative, we decided to offer the Mozilla_Firefox browser to our
users. You can read more about this on my Firefox_page.

Our router was a Cisco 2600, and we chose to use WCCP for transparent proxying.
You can read the router-side configuration at this_page or at this_page. I'm no
cisco expert, so I won't go into details here. If you don't have a cisco, but a
linux router, you can also easily do transparent proxying. There are many
howtos for that.

Squid configuration
-------------------

The linux configuration of squid will be covered here, however, because it
seems to be a bit outdated on both pages. I'm using SuSE 9.0 and use the SuSE
kernel, which makes updating easier and saves a lot of configuration time :)
The kernel config (if you need your own kernel) should be sufficiently
described on the other pages I mentioned above.
The squid configuration is fairly easy. The following is from my squid config
(without comments), some of the values are defaults, important ones are marked
in red.

useragent_log /var/log/squid/useragent.log # log browser id
referer_log /var/log/squid/referer.log
acl intranet src 172.16.0.0/255.255.0.0 # intranet machines
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl ie_browser browser ^Mozilla/4\.0.*compatible;.MSIE # die!!
acl bad_browser browser ^Gator # Gator is also crap!
acl windowsupdate dstdomain .windowsupdate.com # sometimes you have to live with the evil ...
acl windowsupdate dstdomain .windowsupdate.microsoft.com
acl ie_exceptions dstdomain .mycompany.at # for those who don't turn off proxy for intranet ...
acl ie_exceptions2 dst 172.16.0.0/255.255.0.0

http_access deny bad_browser
http_access allow windowsupdate
http_access allow ie_exceptions
http_access allow ie_exceptions2
http_access deny ie_browser
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access allow intranet
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr hostmaster@mycompany.at
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
append_domain .mycompany.at
deny_info ERR_IEBROWSER ie_browser
wccp_router 172.16.0.1
ie_refresh on

The most important settings are the acls to describe the IE browser and the
according http_access deny rule. After monitoring the user_agent log at my
site, I also noticed Gator on a machine. Gator is spyware (probably
auto-executed by some IE bug?) and has surely no right to go into the Internet
... The deny_info is the page that is shown to users that use the IE browser.
Put a file named ERR_IEBROWSER into /usr/share/squid/errors/English, that
contains some useful text (e.g. where to get the firefox browser inside your
LAN). After configuring your squid (I use 2.5.STABLE3), you can enter the proxy
in your IE and it should not allow you to surf to any sites except the
windowsupdate site and files that end with "mycompany.at".

Transparent proxy with Cisco WCCP
--------------------------------

The next thing now to do is to get the ip_wccp module. I downloaded it from the
squid-homepage. Before compiling it, you must configure your kernel properly.
Install the appropriate kernel-source package for your distro and do the
following:

cd /usr/src/linux
make cloneconfig
make dep

Then compile the ip_wccp module using the following command:

gcc -D__KERNEL__ -I/lib/modules/`uname -r`/build/include -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-strict-aliasing -pipe -fno-strength-reduce -mcpu=i386 -DCPU=386 -DMODULE -DMODVERSIONS -include /usr/src/linux/include/linux/modversions.h -c ip_wccp.c

Then copy it to your /lib/modules/`uname -r`/misc directory, run depmod -a and
modprobe ip_wccp. To automatically load it on every boot, edit your
/etc/init.d/boot.local (or equivalent) and insert the modprobe command there.

Final steps - local routing
---------------------------

The next step is a simple iptables command:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

The port 3128 is the port where your squid proxy is running. Put this in some
init script that is executed after network start (possibly a custom firewall
rule if you are using some kind of firewall).
From now on, the worst of all browsers should no longer harm the internet - at
least not from your network :)

Feedback is welcome. Write to articles[at]gaugusch.at

Updated: 2004-06-25

Source: http://gaugusch.at/squid.shtml
openSUSE Build Service is sponsored by
Places