Guard Your Network with IPCop, Part 2: Add-ons

IPCop add-ons like Advanced Proxy, URL Filter, Update Accelerator and Calamaris are not officially part of the IPCop distro, but provide excellent additional functions such as advanced proxy, enabling network-based access control and authentication; URL filtering, with automatic blacklist updates; OpenVPN server; blocking outgoing traffic based on ports, etc. The important details, features and download links of our four add-ons are summarised in the following table.

Add-on	Current Version	Function & features
Advanced Proxy	3.0.6	Provides various additional functionality over and above the basic proxy: Seamless GUI integration for advanced Web proxy configuration Local user authentication including group-based user management identd (RFC 1413) authentication LDAP authentication including Active Directory, eDirectory and OpenLDAP Windows authentication including native Windows domains and Samba RADIUS authentication Extended cache management Web access control by IP and MAC addresses Download throttling Time-based access restrictions Classroom extensions for supervising Web access by classrooms MIME type filter Blocking of unauthorised browsers or client software Automatic client configuration support (PAC and WPAD)
URL Filter	1.9.3	Block websites just by selecting the unwanted category. Available for both, IPCop and SmoothWall, it’s ready to use — download, install, and run. Following are some of its features: Seamless GUI integration for configuration and log viewer Very flexible, block categories are not hardcoded Custom block categories can be included Works with all squidGuard-compatible blacklists Automatic blacklist updates on a scheduled basis Time, category and client-based constraints (IPCop only) No reboot required, for installation/removal, nor during operation
Update Accelerator	2.1.3	Caching various operating system patches and anti-virus updates Increases download speed up to a factor of 1.500 for a 64kBit/s ISDN connection. Guaranteed delivery from local cache, even if the Web Proxy cache has been cleared. The Update Accelerator cache can be transferred from one IPCop to another for offline preloading.
Calamaris Report Generator	2.1.2	This one is for generation of categorised proxy reports. Following are some of its features: Request method (GET, HEAD, …) Incoming requests (TCP and UDP) Outgoing requests Requested first- and second-level domains Protocol report (http, gopher, ftp, …) Requested content-types and file extensions Size based distribution of objects Performance in defined time ranges

The setup assumes IPCop (green) IP as 192.168.51.1, the IPCop Web access port to be 445 and the IPCop SSH access port of 222, with SSH access enabled (System  –> SSH Access in the IPCop Web GUI). To copy add-on binaries, you need to use SCP, and for installation you need direct console access or SSH access from another system. Linux users can use the scp and ssh utilities. Windows users can download and install WinSCP and Putty for these purposes. That done, download the various add-on binaries from the links provided in the table above to your desktop. Secure-copy (SCP) them to /root on the IPCop box. Get a command prompt on the IPCop box via SSH (or Putty).

Extract each of the tarballs with tar -xzf <tarballname>. Change to each of the extracted folders in turn (ipcop-advproxy, ipcop-urlfilter, ipcop-updatexlrator, ipcop-calamaris), and run ./install in each of them to install that add-on.

Subsequent configuration is via the IPCop Web GUI being prerequisite for various other add-ons, install ADV Proxy first followed by others.

AdvProxy

In the Web GUI, go to Services  –> Advanced Proxy. The important settings under various categories are given below.

• Common settings:
  1. Enable this add-on on the Green network (and any others if needed).
  2. Whether or not to use Transparent mode (no change in client browser connection settings is required, though the browser must be configured to use the IPCop proxy port).
  3. Proxy port (default TCP 800).
• Other settings include:
  1. Upstream Proxy: To be used if the Internet connection is via a proxy server. Here, the username and password can also be provided.
  2. Log settings: To enable/disable proxy logs.
  3. Cache management: Define cache size.
  4. Network-based access control: Allows you to control Internet access only to the defined subnets (or IP addresses). For example, 192.168.51.0/27 will allow Internet access to 192.168.51.1 to 192.168.51.30. (Some clients can be banned by entering their IPs under ‘Banned IP addresses’.)
  5. Time restrictions: Internet access can be allowed only during certain time periods.
  6. Authentication methods: IPCop supports user authentication methods such as Local (IPCop username and passwords), LDAP/RADIUS (external LDAP server), Windows (Windows Domain Controller), etc.

URL Filter

To enable URL Filter, go to the bottom of Services  –> Advanced Proxy and select Enable URL Filter. Go to Services  –> URL Filter for more settings. Various configuration items and features are listed below:

• Block Categories — Choose the unwanted category to block corresponding websites. The blacklist database can be scheduled to be updated daily/weekly or monthly. The default list has only a few block categories. Once updated, you will see a detailed list to block from.
• Black list and White list — If a blacklisted website is to be accessible, add it to Custom Whitelist; to ban an accessible website, add it to Custom Blacklist.
• Custom Expressions list — Add words to be blocked. For an example, add cricket, score and scores under this to block sites featuring these words.
• File Extension Blocking — Block executable, compressed or Audio/Video file downloads by selecting the corresponding check-box.
• Network-based access control — Lets some users browse the Web unrestricted, and can block others from using the Web at all.
• Block Page settings — The message a user receives when trying to access a blocked website.
• Log — Enable it to track who is trying to access blocked websites.
• URL Filter Maintenance — Blacklist update settings, configure a daily/weekly/monthly update schedule and choose from four sources.
• Backup URL Filter — Backup settings and complete blacklist, which can be restored later, or on a new IPCop installation.

URL Filter allows three categories of Internet access based on the IP address — filtered access, unrestricted access and no access (banned). One very important provision is that all sites from the custom whitelist can be accessed by banned IP addresses if you enable “Allow custom whitelist for banned clients”. This can be very helpful if all users need to access some websites.

Update Accelerator

Enable it at the bottom of Services –> Advanced Proxy and go to Services –> Update Accelerator. This requires only a few settings. Select Enable Log, Enable Passive Mode and Lower CPU priority for downloads. You may also define a maximum download rate.

This is very useful; it caches various large downloads like updates for anti-virus and OS patches, etc. Repeat requests are supplied from local cache, saving bandwidth and increasing download speed tremendously. To clear cache, either manually delete individual files, or set it to automatically delete unused files, via the Maintenance button in Services –> Update Accelerator.

Calamaris report generator

This add-on requires no configuration. Go to Logs –> Proxy Reportsto access the report generator. Calamaris can generate reports based on parameters like Domain, Performance, Contents, Requester, etc. The time needed for report generation may vary based upon the CPU, hard disk and log size. Reports can be viewed on-screen or exported to text files (see Figures 3 and 4).

So folks, this adds four important add-ons to the vanilla IPCop. Watch out for further details!