SquidGuard package TEST

dhipo

ok …. i will try be clear ..... on press apply button or save new Destinations is not creating the db files..
i created manually using the comand
/usr/local/bin/squidguard -c /usr/local/etc/squidGuard/squidGuard.conf -C all

but every time , when a new url ,expression or domain is added to destinations is necessary run the command
/usr/local/bin/squidguard -c /usr/local/etc/squidGuard/squidGuard.conf -d

if db files was not created manually the rules (ACLS) does not work ..
but, after db creation (manually) works fast and was expected..

dhipo

new doubt …
Can i have an acl like this

" pass MyList "

without the ' !all ' at the end of line ?

dvserg

@dhipo:

new doubt …
Can i have an acl like this

" pass MyList "

without the ' !all ' at the end of line ?

I test bug with db nearest time ???

About ACL
'!all' convert to config as 'none'
This is default rule for current ACL
'pass MyList all' mean pass 'MyList' and 'all' - passed all
pass MyList !sex all - mean pass MyList all and deny sex
pass MyList none (equiqalence !all) - mean pass only MyList and deny all other

dvserg

Rename wisout .txt, replace on '/usr/local/pkg' this and test it.

squidguard_configurator.inc.txt

dhipo

ok … i changed the squidguard_configurator file ... works good... an new discovered tip .... ACL order is too important .. look this :

acl 1 source is 192.168.1.0/24 "pass mylist none" -- my list have only some permited sites

acl2 source is 192.168.1.20 pass all

in this case acl2 never is used

but if acl2 is in top order works like desired....

can an option to move order in acls added ???

dvserg

@dhipo:

ok … i changed the squidguard_configurator file ... works good... an new discovered tip .... ACL order is too important .. look this :

acl 1 source is 192.168.1.0/24 "pass mylist none" -- my list have only some permited sites

acl2 source is 192.168.1.20 pass all

in this case acl2 never is used

but if acl2 is in top order works like desired....

can an option to move order in acls added ???

Great test!! I missed this moment and this very serious. I will work about this :-[

dvserg

Do you have url's with information about squidGuard ALC's order?

dhipo

no i don't found anything about acl order on internet …. but it's a try an error what i did ....

look ...

i thin in this moment we can do an ACL tester .... to show what ACL is being applied ....

on command line the test is ....

echo "http://www.example.com 100.0.2.10/ - - GET" | /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -d

and will reply on last lines

2007-06-24 10:54:39 [15031] squidGuard 1.2.0 started (1182693279.170)
2007-06-24 10:54:39 [15031] squidGuard ready for requests (1182693279.178)
2007-06-24 10:54:39 [15031] Request(EC/none/-) http://www.example.com 100.0.2.10/- - -
http://127.0.0.1/sgerror.php?url=403 100.0.2.10/- - -
2007-06-24 10:54:39 [15031] squidGuard stopped (1182693279.178)

look the acl NAME there Request(EC/none/-)

look this … the ip tested down is an user with special access, but with porn denied

echo "http://www.sex.com 192.168.19.97/ - - GET" | /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -d

reply 2007-06-24 10:59:26 [15573] squidGuard ready for requests (1182693566.468)
2007-06-24 10:59:26 [15573] Request(especiais/porn/-) http://www.sex.com 192.168.19.97/- - -
http://127.0.0.1/sgerror.php?url=403 192.168.19.97/- - -
2007-06-24 10:59:26 [15573] squidGuard stopped (1182693566.469)

and now the full network range … with limited access...

echo "http://www.sex.com 192.168.0.0/ - - GET" | /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -d

look the different acl 2007-06-24 11:04:25 [16181] Request(lojas/none/-) http://www.sex.com 192.168.0.0/- - -
http://127.0.0.1/sgerror.php?url=403 192.168.0.0/- - -
2007-06-24 11:04:25 [16181] squidGuard stopped (1182693865.587)

in my testings i discovered :
if an ACL with specific ip ( host address eg: 192.168.19.97 ) is after of a network range … the acl is never processed ..

then i suggest and button to move acl order like rules order in pfsense ...

dvserg

http://www.sdconsult.no/linux/SquidGuard/doc.html

How squidGuard decides what to do
For each request squidGuard will:
try to find a matching client group based on the client IP-address and optional domainname and user ID information. Note: The client groups are matched in the order they are defined. Thus a client group that is a subset of a more general group must come first of the two to take effect. If the client does not match a group then the default acl will be used.
Note: The client information must match at least one of each defined type within the actual group to qualify (i.e. ip AND domain AND user).
select the corresponding active acl. If no corresponding acl is active or defined the default acl is selected.
try to match the URL to each destination group in the listed order in the pass rule in the actual acl and for each destination group in the priority order domainlist, urllist and expressionlist.
Note: It is sufficient that the URL matches one of the defined types within the actual group to qualify (i.e. domainlist OR urllist OR expressionlist).
if a negative group ("!group") is matched, return the redirect URL for that destination group if defined or alternatively the redirect URL in the actual acl if defined or else the redirect URL in the default acl as the last resort.
when a positive group ("group") is matched the stop searching.
apply the rewrite rules for the matched destination group if any and then apply rewrite rules for the acl if any or else the rewrite rules for the default acl if any.
if the URL was changed by a rewrite rule return the new URL and the suplied information.
Otherwise return an empty line indicating no change to Squid.

May be source order have effect? Analyze pls this url.. (my translator give stuppid text)

dhipo

is this ….

The order of "ACL" is important ...
look this note:

Note: The client groups are matched in the order they are defined.

we need an control to ordering "ACL"s

dvserg

@dhipo:

is this ….
The order of "ACL" is important ...
look this note:
Note: The client groups are matched in the order they are defined.
we need an control to ordering "ACL"s

Client group this is Sources blocks
Do you have possible test config with swithching sources blocks? (manually swap and restart squid). I will be able to test tomorrow :-\

dhipo

no …. source or destinations order is NOT important ....

important is the ACL order .... blocking is made based on order of ACL...

dhipo

i did test order of acl and this is real …. .ACL order is important...

dvserg

@dhipo:

i did test order of acl and this is real …. .ACL order is important...

I now have test via remote access on my work next simple config


src_myip_on = myip
src_myip_off = myip

acl {
  default .... none // all block
  src_myip_on ... all // all pass
  src_myip_off ... none //all block
}

–- A --- beginner
sources (1)src_myip_on (2)src_myip_off
ACLS (1)default (2)src_myip_on (3)src_myip_off
result MyIP Access = pass

--- B --- swapping acls
sources (1)src_myip_on (2)src_myip_off
ACLS (1)default (2)src_myip_off (3)src_myip_on
result MyIP Access = pass (!!)

-- C -- swapping sources
sources (1)src_myip_off (2)src_myip_on
ACLS (1)default (2)src_myip_on (3)src_myip_off
result MyIP Access = blocked (!!)

dhipo

you are right ….. the sources order change the result of policy .... i hate this.... only about lucky .... but my order of sources was right and when i changed policies stop to work.....

great work ..... SOURCES MUST BE ORDERED TO WORK ....

dvserg

In sources table no way to mooving table line up/down
I have idea add one checkbox field with 3 positions (–/move up/move down)

Any other idea?

Perry

In sources table no way to mooving table line up/down

Maybe you could get around it by first saving it to a temp file first, adding a number 1 2 3 and then add it to conf by number…

dvserg

For example this

src_project.jpg_thumb

dhipo

looks good ….

but correct english in some words ...

change
Sources order have very impotant importance
to
Sources order have very higy importance.

word "chose" the correct is "choose"

dhipo

new thing ….

on the Destinations tab i cannot add an redirect url all tries give me the following message.

The following input errors were detected:

* Redirect must contains valid url. Example: 'http://www.my.com', 'https://my.com', 'ftp://my.com'

i try put in the field redirect

http://www.mydom.com.br/
http://www.mydom.com.br/test.htm
403:http://www.mydom.com.br/
403:http://www.mydom.com.br/test.htm

all with errors