ClarkConnect Notes

Christopher Rath

2002

Introduction

As I wrote about in my Hacking The 3Com Multi-Purpose Internet Server notes, I am using the ClarkConnect firewall Linux distribution for our home network’s firewall and file server. This page serves to capture my thoughts, experiences, and software I’ve written for our ClarkConnect server.

squidGuard Blacklists

One of the features of the ClarkConnect distribution is that squidGuard, a web-filtering package, is installed and running. By default, squidGuard is only configured to block drug related websites. For anyone who wants to make full use of squidGuard Blacklists, two steps must be taken: configuring squidGuard to use a wider range of Blacklists, and getting the server set up to automatically download Blacklist updates. This section of my ClarkConnect notes covers these two tasks.

Configuring Blacklists

The squidGuard website contains full details about how squidGuard Blacklists are configured; however, here’s my squidGuard.conf file which shows multiple lists being configured—I have configured blocking of drug, gambling, and pornographic websites plus allowed for local lists of sites to be blocked or allowed (note that the ‘redirect’ line in the ‘acl’ section is not actually split across two lines, but has been shown this way to avoid an overly wide display):

logdir /var/log/squid
dbhome /etc/squidGuard/db

dest allow_local {
  domainlist local/allow_domains
  urllist    local/allow_urls
}

dest deny_local {
  domainlist local/deny_domains
  urllist    local/deny_urls
}

dest drugs {
  domainlist drugs/domains
  urllist    drugs/urls
}

dest gambling {
  domainlist gambling/domains
  urllist    gambling/urls
}

dest porn {
  domainlist porn/domains
  urllist    porn/urls
}

acl {
  default {
    pass allow_local !deny_local !gambling !porn !drugs all
    redirect http://192.168.1.1/cgi-bin/squidGuard.cgi?clientaddr=%a
&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
  }
}

It is important to note that each of the files referred to in the squidGuard.conf file must exist. If you attempt to use my .conf file you must manually create the local directory and the files my .conf file assumes exist there. The following command may be used to create the directory and empty files (run as root):

cd /etc/squidGuard/db
mkdir local
touch local/allow_domains local/allow_urls local/deny_domains local/deny_urls
chown -R squid:suvlet local

What this squidGuard.conf file does it to allow domains/urls matched by the ‘allow_local’ rule to be accessed, but denies access to ‘deny_local’, ‘drugs’, ‘gambling’, and ‘porn’. If the domain/url has not matched anything after those rules have been applied, then it is allowed to be accessed (this is what the final ‘all’ means).

The databases in the local directory (described by the ‘allow_local’ and ‘deny_local’ rules) are files maintained by the local system administrator. These local files are not updated or maintained by the squidGuard robot. Consequently, these local rules will not be overwritten when a new Blacklist is downloaded. Thus, as you find specific sites you wish to specifically allow or deny at your site you edit the appropriate file, rebuild the squidGuard databases, and restart squidGuard.

Once you have edited your squidGuard.conf file, you may need to rebuild the Blacklist databases and restart Squid. This can be done by running the following commands as root (if things don’t appear to be working properly then check the squidGuard log in the /var/log/squid directory):

/usr/sbin/squidGuard -C all
/etc/rc.d/init.d/squid restart

If things still aren't working, check the ownership of the files in the squidGuard Blacklist database.  All the files in /etc/squidGuard/db must be owned by userid ‘squid’ and groupid ‘suvlet’.  The following command can be used to reset the file ownership (run it as root, and remember to restart Squid afterwards):

chown -R squid:suvlet /etc/squidGuard/db/*

Refreshing Blacklists

ClarkConnect version 1.0 does not contain any method for automatically downloading new squidGuard Blacklists. The squidGuard website itself does not offer a script to perform this task, and so it was necessary for me to write a script.

I started my task by posting a query to one of the ClarkConnect user discussion forums, asking if anyone else had already written such a script. A sysadmin named Mike anonymously posted his script. So I took that and rewrote it into something a little more robust. I also created a small PHP webconfig module and put it all together into an RPM to simplify installation.

Download refreshSG

The RPM can be downloaded here:

Note that my refreshSG script is dependent upon wget, and wget must be installed before my refreshSG RPM is installed.

For the convenience of those who may not want the whole RPM, the refreshSG script itself and the accompanying man page can be downloaded here:

Installing refreshSG

Here are some basic installation instructions:

  1. Log into your ClarkConnect box as root.
  2. Retrieve the wget RPM from the RedHat site (using anonymous ftp):
    ftp ftp.redhat.com
    cd /pub/redhat/linux/7.2/en/os/i386/RedHat/RPMS/
    bin
    get wget-1.7-3.i386.rpm
  3. Install the RPM:
    rpm -Uvh wget-1.7-3.i386.rpm
  4. Now retrieve my RPM using wget (this ensures that wget is working correctly):
    wget http://www.rath.ca/Misc/3Com-3C19504/refreshSG-1.1-1.i386.rpm
  5. Install my RPM:
    rpm -Uvh refreshSG-1.1-1.i386.rpm
  6. Now bring up the webconfig screen via https://192.168.1.1:81/ and click on the Admin button
  7. Finally, click on the "Blacklist Update" link (near the bottom left of the page).

The refresh script will not run until you explicitly turn it on via its configuration page. The configuration page also allows you to change the URL the refreshSG script pulls the Blacklist from. When the script does run, it will write a log of its session to /var/log/refreshSG, and that log file is displayed in the lower half of the configuration page.

The refreshSG log file will grow over time and Linux manages this using a program called logrotate that is run each day by cron. To have logrotate manage the refreshSG log file, create a file called /etc/logrotate.d/refreshSG and place the following lines in that file:

/var/log/refreshSG {
monthly
compress
notifempty
missingok
}

Release History

v1.0 [2002-07-16] — First public release (via the ClarkConnect General Forum). Released into the public domain.

v1.1 [2002-07-22] — Second public release.  Have added extra help to the ClarkConnect webconfig page, added a man page, and exposed two additional variables to the refreshSG.conf file.

v1.2 [2002-07-23] — Third public release.  Fixed another typo in the webconfig screen and changed the way the /etc/crontab entry is made.


©Copyright 2002–2003, Christopher & Jean Rath
Telephone: 613-824-4584
Address: 1371 Major Rd., Ottawa, ON, Canada K1E 1H3
Last updated: 2007/02/16 @ 09:53:03 ( )