IPCop add-ons like Advanced Proxy, URL Filter, Update Accelerator and Calamaris are not officially part of the IPCop distro, but provide excellent additional functions such as advanced proxy, enabling network-based access control and authentication; URL filtering, with automatic blacklist updates; OpenVPN server; blocking outgoing traffic based on ports, etc. The important details, features and download links of our four add-ons are summarised in the following table.
|Add-on||Current Version||Function & features|
|Advanced Proxy||3.0.6||Provides various additional functionality over and above the basic proxy:
|URL Filter||1.9.3||Block websites just by selecting the unwanted category. Available for both, IPCop and SmoothWall, it’s ready to use — download, install, and run. Following are some of its features:
|Calamaris Report Generator||2.1.2||This one is for generation of categorised proxy reports. Following are some of its features:
The setup assumes IPCop (green) IP as 192.168.51.1, the IPCop Web access port to be 445 and the IPCop SSH access port of 222, with SSH access enabled (System –> SSH Access in the IPCop Web GUI). To copy add-on binaries, you need to use SCP, and for installation you need direct console access or SSH access from another system. Linux users can use the scp and ssh utilities. Windows users can download and install WinSCP and Putty for these purposes. That done, download the various add-on binaries from the links provided in the table above to your desktop. Secure-copy (SCP) them to
/root on the IPCop box. Get a command prompt on the IPCop box via SSH (or Putty).
Extract each of the tarballs with
tar -xzf <tarballname>. Change to each of the extracted folders in turn (
ipcop-calamaris), and run
./install in each of them to install that add-on.
Subsequent configuration is via the IPCop Web GUI being prerequisite for various other add-ons, install ADV Proxy first followed by others.
In the Web GUI, go to Services –> Advanced Proxy. The important settings under various categories are given below.
- Common settings:
- Enable this add-on on the Green network (and any others if needed).
- Whether or not to use Transparent mode (no change in client browser connection settings is required, though the browser must be configured to use the IPCop proxy port).
- Proxy port (default TCP 800).
- Other settings include:
- Upstream Proxy: To be used if the Internet connection is via a proxy server. Here, the username and password can also be provided.
- Log settings: To enable/disable proxy logs.
- Cache management: Define cache size.
- Network-based access control: Allows you to control Internet access only to the defined subnets (or IP addresses). For example, 192.168.51.0/27 will allow Internet access to 192.168.51.1 to 192.168.51.30. (Some clients can be banned by entering their IPs under ‘Banned IP addresses’.)
- Time restrictions: Internet access can be allowed only during certain time periods.
- Authentication methods: IPCop supports user authentication methods such as Local (IPCop username and passwords), LDAP/RADIUS (external LDAP server), Windows (Windows Domain Controller), etc.
To enable URL Filter, go to the bottom of Services –> Advanced Proxy and select Enable URL Filter. Go to Services –> URL Filter for more settings. Various configuration items and features are listed below:
- Block Categories — Choose the unwanted category to block corresponding websites. The blacklist database can be scheduled to be updated daily/weekly or monthly. The default list has only a few block categories. Once updated, you will see a detailed list to block from.
- Black list and White list — If a blacklisted website is to be accessible, add it to Custom Whitelist; to ban an accessible website, add it to Custom Blacklist.
- Custom Expressions list — Add words to be blocked. For an example, add cricket, score and scores under this to block sites featuring these words.
- File Extension Blocking — Block executable, compressed or Audio/Video file downloads by selecting the corresponding check-box.
- Network-based access control — Lets some users browse the Web unrestricted, and can block others from using the Web at all.
- Block Page settings — The message a user receives when trying to access a blocked website.
- Log — Enable it to track who is trying to access blocked websites.
- URL Filter Maintenance — Blacklist update settings, configure a daily/weekly/monthly update schedule and choose from four sources.
- Backup URL Filter — Backup settings and complete blacklist, which can be restored later, or on a new IPCop installation.
URL Filter allows three categories of Internet access based on the IP address — filtered access, unrestricted access and no access (banned). One very important provision is that all sites from the custom whitelist can be accessed by banned IP addresses if you enable “Allow custom whitelist for banned clients”. This can be very helpful if all users need to access some websites.
Enable it at the bottom of Services –> Advanced Proxy and go to Services –> Update Accelerator. This requires only a few settings. Select Enable Log, Enable Passive Mode and Lower CPU priority for downloads. You may also define a maximum download rate.
This is very useful; it caches various large downloads like updates for anti-virus and OS patches, etc. Repeat requests are supplied from local cache, saving bandwidth and increasing download speed tremendously. To clear cache, either manually delete individual files, or set it to automatically delete unused files, via the Maintenance button in Services –> Update Accelerator.
Calamaris report generator
This add-on requires no configuration. Go to Logs –> Proxy Reportsto access the report generator. Calamaris can generate reports based on parameters like Domain, Performance, Contents, Requester, etc. The time needed for report generation may vary based upon the CPU, hard disk and log size. Reports can be viewed on-screen or exported to text files (see Figures 3 and 4).
So folks, this adds four important add-ons to the vanilla IPCop. Watch out for further details!
The author is an IS auditor, network security consultant and trainer with 25+ of years industry experience. He is an industrial electronics engineer with CISA, CISSP and DCL certification. Please feel free to contact him at rajesh at omegasystems dot co dot in.