I may be off here, but here is what I see. It looks like it is using CONNECT via 443 and since there are no further requests it doesn't drop the exsisting connection. Perhaps if you deny CONNECT to the AIM/Yahoo dstdomain group and force it to use GETs instead.
Unfortunately I don't know enough about how AIM/Yahoo work to know if this will break them. Perhaps restarting squid via cron when the time comes for the restrictions go into place. -----Original Message----- From: Jeff McWilliams [mailto:[EMAIL PROTECTED] Sent: Sunday, March 16, 2003 9:57 PM To: [EMAIL PROTECTED] Subject: [squid-users] HELP: timed based ACLs to control access to AOL instant messenger Hi, I have a 13 year old daughter who's a social butterfly, and tends to spend a lot of time chatting with her friends via AOL instant messenger, often to the exclusion of other, more important things. What I've been trying to do is enforce our limited-time chatting policy with networking tools like squid. I have a Linux based firewall between my home LAN and the cablemodem, with default DENY policies. http and https traffic is only passed if it comes from the proxy server. All the browsers on the home LAN are configured to use the http/https proxy server. Without it, they can't reach the internet. AOL instant messenger client apps are also configured to use the https proxy server to reach the internet. My squid.conf looks like this: (just showing the ACL lists) ------------------------ acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl home src 192.168.1.0/255.255.255.0 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl JeffDesktop srcdomain c975955-a.home.int acl HeatherLaptop srcdomain hlaptop.home.int acl HeatherDesktop srcdomain kitty.home.int acl AIM dstdomain login.oscar.aol.com www.aim.com aimexpress.oscar.aol.com .msg.yahoo.com .yimg.com acl weeknights time MTWH acl sunday time S 21:00-23:59 acl friday time F 00:00-16:00 acl purge method PURGE acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # http_access deny JeffDesktop AIM weeknights http_access deny JeffDesktop AIM sunday http_access deny JeffDesktop AIM friday http_access deny HeatherLaptop AIM weeknights http_access deny HeatherLaptop AIM sunday http_access deny HeatherLaptop AIM friday http_access deny HeatherDesktop AIM weeknights http_access deny HeatherDesktop AIM sunday http_access deny HeatherDesktop AIM friday http_access allow home http_access allow localhost http_access deny all ----------------------------------------------- Yes, I know my restrictions are somewhat IP Address specific. My daughter isn't smart enough to override the DHCP assigned IP address on her PC. DHCPd is configured to give IP addresses based on MAC address, so her desktop and her P75 laptop always get the same IP Address. If an AOL IM connection is attempted, say, during a weekday, squid denies it like it should. The access log shows something such as: 1047872990.743 18 192.168.1.41 TCP_DENIED/403 1007 CONNECT login.oscar.aol.com:443 - NONE/- - Where I'm having trouble is when the clock rolls over from an allowed chat time, to a non-allowed chat time. It seems that once AOL Instant Messenger makes a successful connection, it can retain that connection forever. If I disconnect AOL IM, and try to reconnect, then it will fail, but as long as the client connected before time "expired", it can continue to operate after time has expired. The access.log doesn't show continual traffic when AOL IM is in use, it shows something like this: 1047873431.799 196 127.0.0.1 TCP_MISS/200 507 CONNECT login.oscar.aol.com:443 - DIRECT/64.12.161.153 - 1047873432.635 136 127.0.0.1 TCP_MISS/200 49 CONNECT 64.12.201.36:443 - DIRECT/64.12.201.36 - followed by little other traffic (except banner ad stuff). Are these persistent connections that are being made? I tried adding: client_persistent_connections off server_persistent_connections off to squid.conf without any effect. I'm using Squid 2.4.STABLE1 Any suggestions? Should I be looking for some other tool or am I missing some other configuration parameter that would help me here? I'm more than willing to grab the latest distribution and compile if there is something in it that would help me. Many thanks, Jeff McWilliams ------------------------------------------------------------------- Jeff McWilliams - [EMAIL PROTECTED] "The minstrel boy, to the war has gone In the ranks of death you will find him." .. Thomas Moore ********************************************************** This message was virus scanned at siliconjunkie.net and any known viruses were removed. For a current virus list see http://www.siliconjunkie.net/antivirus/list.html