• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SquidGuard package TEST

Scheduled Pinned Locked Moved Russian
175 Posts 14 Posters 154.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D Offline
    dhipo
    last edited by Jun 24, 2007, 2:07 PM

    no i don't found anything about acl order on internet …. but it's a try an error what i did ....

    look ...

    i thin in this moment we can do an ACL tester .... to show what ACL is being applied ....

    on command line the test is ....

    echo "http://www.example.com 100.0.2.10/ - - GET" | /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -d

    and will reply on last lines

    2007-06-24 10:54:39 [15031] squidGuard 1.2.0 started (1182693279.170)
    2007-06-24 10:54:39 [15031] squidGuard ready for requests (1182693279.178)
    2007-06-24 10:54:39 [15031] Request(EC/none/-) http://www.example.com 100.0.2.10/- - -
    http://127.0.0.1/sgerror.php?url=403 100.0.2.10/- - -
    2007-06-24 10:54:39 [15031] squidGuard stopped (1182693279.178)

    look the acl NAME there Request(EC/none/-)

    look this … the ip tested down is an user with special access,  but with porn denied

    echo "http://www.sex.com 192.168.19.97/ - - GET" | /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -d

    reply 2007-06-24 10:59:26 [15573] squidGuard ready for requests (1182693566.468)
    2007-06-24 10:59:26 [15573] Request(especiais/porn/-) http://www.sex.com 192.168.19.97/- - -
    http://127.0.0.1/sgerror.php?url=403 192.168.19.97/- - -
    2007-06-24 10:59:26 [15573] squidGuard stopped (1182693566.469)

    and now the full network range … with limited access...

    echo "http://www.sex.com 192.168.0.0/ - - GET" | /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -d

    look the different acl 2007-06-24 11:04:25 [16181] Request(lojas/none/-) http://www.sex.com 192.168.0.0/- - -
    http://127.0.0.1/sgerror.php?url=403 192.168.0.0/- - -
    2007-06-24 11:04:25 [16181] squidGuard stopped (1182693865.587)

    in my testings i discovered :
    if an ACL with specific ip ( host address eg: 192.168.19.97 ) is after of a network range … the acl is never processed ..

    then i suggest and button to move acl order like rules order in pfsense ...

    Dhix Networks
    Everything Secure

    http://www.dhix.com.br

    1 Reply Last reply Reply Quote 0
    • D Offline
      dvserg
      last edited by Jun 24, 2007, 3:22 PM

      http://www.sdconsult.no/linux/SquidGuard/doc.html

      How squidGuard decides what to do
      For each request squidGuard will:
      try to find a matching client group based on the client IP-address and optional domainname and user ID information. Note: The client groups are matched in the order they are defined. Thus a client group that is a subset of a more general group must come first of the two to take effect. If the client does not match a group then the default acl will be used.
      Note: The client information must match at least one of each defined type within the actual group to qualify (i.e. ip AND domain AND user).
      select the corresponding active acl. If no corresponding acl is active or defined the default acl is selected.
      try to match the URL to each destination group in the listed order in the pass rule in the actual acl and for each destination group in the priority order domainlist, urllist and expressionlist.
      Note: It is sufficient that the URL matches one of the defined types within the actual group to qualify (i.e. domainlist OR urllist OR expressionlist).
      if a negative group ("!group") is matched, return the redirect URL for that destination group if defined or alternatively the redirect URL in the actual acl if defined or else the redirect URL in the default acl as the last resort.
      when a positive group ("group") is matched the stop searching.
      apply the rewrite rules for the matched destination group if any and then apply rewrite rules for the acl if any or else the rewrite rules for the default acl if any.
      if the URL was changed by a rewrite rule return the new URL and the suplied information.
      Otherwise return an empty line indicating no change to Squid.

      May be source order have effect? Analyze pls this url.. (my translator give stuppid text)

      SquidGuardDoc EN  RU Tutorial
      Localization ru_PFSense

      1 Reply Last reply Reply Quote 0
      • D Offline
        dhipo
        last edited by Jun 24, 2007, 6:44 PM

        is this ….

        The order of "ACL" is important ...
        look this note:

        Note: The client groups are matched in the order they are defined.

        we need an control to ordering "ACL"s

        Dhix Networks
        Everything Secure

        http://www.dhix.com.br

        1 Reply Last reply Reply Quote 0
        • D Offline
          dvserg
          last edited by Jun 24, 2007, 6:53 PM

          @dhipo:

          is this ….
          The order of "ACL" is important ...
          look this note:
          Note: The client groups are matched in the order they are defined.
          we need an control to ordering "ACL"s

          Client group this is Sources blocks
          Do you have possible test config with swithching sources blocks? (manually swap and restart squid). I will be able to test tomorrow :-\

          SquidGuardDoc EN  RU Tutorial
          Localization ru_PFSense

          1 Reply Last reply Reply Quote 0
          • D Offline
            dhipo
            last edited by Jun 24, 2007, 7:04 PM

            no …. source or destinations order is NOT important ....

            important is the ACL order ....  blocking is made based on order of ACL...

            Dhix Networks
            Everything Secure

            http://www.dhix.com.br

            1 Reply Last reply Reply Quote 0
            • D Offline
              dhipo
              last edited by Jun 24, 2007, 7:13 PM

              i did test order of acl and this is real …. .ACL order is important...

              Dhix Networks
              Everything Secure

              http://www.dhix.com.br

              1 Reply Last reply Reply Quote 0
              • D Offline
                dvserg
                last edited by Jun 24, 2007, 7:42 PM

                @dhipo:

                i did test order of acl and this is real …. .ACL order is important...

                I now have test via remote access on my work next simple config

                
                src_myip_on = myip
                src_myip_off = myip
                
                acl {
                  default .... none // all block
                  src_myip_on ... all // all pass
                  src_myip_off ... none //all block
                }
                

                –- A --- beginner
                sources  (1)src_myip_on (2)src_myip_off
                ACLS (1)default (2)src_myip_on (3)src_myip_off
                result MyIP Access = pass

                --- B --- swapping acls
                sources  (1)src_myip_on (2)src_myip_off
                ACLS (1)default (2)src_myip_off (3)src_myip_on
                result MyIP Access = pass (!!)

                -- C -- swapping sources
                sources  (1)src_myip_off (2)src_myip_on
                ACLS (1)default (2)src_myip_on (3)src_myip_off
                result MyIP Access = blocked (!!)

                SquidGuardDoc EN  RU Tutorial
                Localization ru_PFSense

                1 Reply Last reply Reply Quote 0
                • D Offline
                  dhipo
                  last edited by Jun 25, 2007, 1:43 AM

                  you are right ….. the sources order change the result of policy ....  i hate this.... only about lucky .... but my order of sources was right and when i changed policies stop to work.....

                  great work ..... SOURCES MUST BE ORDERED TO WORK ....

                  Dhix Networks
                  Everything Secure

                  http://www.dhix.com.br

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    dvserg
                    last edited by Jun 25, 2007, 7:17 AM

                    In sources table no way to mooving table line up/down
                    I have idea add one checkbox field with 3 positions (–/move up/move down)

                    Any other idea?

                    SquidGuardDoc EN  RU Tutorial
                    Localization ru_PFSense

                    1 Reply Last reply Reply Quote 0
                    • P Offline
                      Perry
                      last edited by Jun 25, 2007, 8:39 AM

                      In sources table no way to mooving table line up/down

                      Maybe you could get around it by first saving it to a temp file first, adding a number 1 2 3 and then add it to conf by number…

                      /Perry
                      doc.pfsense.org

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        dvserg
                        last edited by Jun 25, 2007, 11:17 AM

                        For example this

                        src_project.jpg
                        src_project.jpg_thumb

                        SquidGuardDoc EN  RU Tutorial
                        Localization ru_PFSense

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          dhipo
                          last edited by Jun 25, 2007, 1:27 PM

                          looks good ….

                          but correct english in some words ...

                          change
                          Sources order have very impotant importance
                          to
                          Sources order have very higy importance.

                          word "chose" the correct is "choose"

                          Dhix Networks
                          Everything Secure

                          http://www.dhix.com.br

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            dhipo
                            last edited by Jun 25, 2007, 1:51 PM

                            new thing ….

                            on the Destinations tab i cannot add an redirect url all tries give me the following message.

                            The following input errors were detected:

                            * Redirect must contains valid url. Example: 'http://www.my.com', 'https://my.com', 'ftp://my.com'

                            i try put in the field redirect

                            http://www.mydom.com.br/
                            http://www.mydom.com.br/test.htm
                            403:http://www.mydom.com.br/
                            403:http://www.mydom.com.br/test.htm

                            all with errors

                            Dhix Networks
                            Everything Secure

                            http://www.dhix.com.br

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              dvserg
                              last edited by Jun 25, 2007, 2:15 PM Jun 25, 2007, 2:11 PM

                              Yes .. may be validator problem
                              Temporary - assign only '404'
                              User will view 404 error page

                              SquidGuardDoc EN  RU Tutorial
                              Localization ru_PFSense

                              1 Reply Last reply Reply Quote 0
                              • P Offline
                                Perry
                                last edited by Jun 25, 2007, 2:17 PM

                                Source order is of high importance. Sources are evaluated on a first-match basis
                                Wrong order:
                                First source entry is the range 10.0.0.0/24 and second entry is 10.0.0.15 (or 10.0.0.15/32 )
                                Right order:
                                First source entry is the single ip 10.0.0.15 (or 10.0.0.15/32 ) then the overlaying range 10.0.0.0/24

                                My none native language suggestion :)

                                /Perry
                                doc.pfsense.org

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  dvserg
                                  last edited by Jun 25, 2007, 2:27 PM

                                  I shall is thanked for good english text

                                  SquidGuardDoc EN  RU Tutorial
                                  Localization ru_PFSense

                                  1 Reply Last reply Reply Quote 0
                                  • D Offline
                                    dvserg
                                    last edited by Jun 26, 2007, 5:43 PM

                                    Uhhm
                                    Ready for test
                                    Need update from site files
                                    'squidguard.inc'
                                    'squidguard_configurator.inc'
                                    'squidguard_src.xml'
                                    OR reinstall

                                    SquidGuardDoc EN  RU Tutorial
                                    Localization ru_PFSense

                                    1 Reply Last reply Reply Quote 0
                                    • D Offline
                                      dhipo
                                      last edited by Jun 27, 2007, 3:58 PM

                                      not necessary squidgaurd.xml ????

                                      Dhix Networks
                                      Everything Secure

                                      http://www.dhix.com.br

                                      1 Reply Last reply Reply Quote 0
                                      • D Offline
                                        dhipo
                                        last edited by Jun 27, 2007, 4:37 PM

                                        i did an test
                                        if an source is deleted (eg … source # 0) to other sources become indexed is necessary open the source #1 and move it to #0

                                        but moving orders is good .... and working ,..

                                        Dhix Networks
                                        Everything Secure

                                        http://www.dhix.com.br

                                        1 Reply Last reply Reply Quote 0
                                        • D Offline
                                          dvserg
                                          last edited by Jun 27, 2007, 5:20 PM

                                          @dhipo:

                                          not necessary squidgaurd.xml ????

                                          I modified only this 3 files

                                          i did an test
                                          if an source is deleted (eg … source # 0) to other sources become indexed is necessary open the source #1 and move it to #0

                                          or i stupid, or my translator.. what processed if deleted all sources??? Please looking what's happening with 'squidguard.conf' in this moment? Broken or no?

                                          but moving orders is good …. and working ,..

                                          Sources order in gui das is correspond order in squidguard.cfg

                                          PS i test all bugs too, but i need more 'test statistic' for diagnose BUG
                                          PS2 Thanks for you job  :)

                                          SquidGuardDoc EN  RU Tutorial
                                          Localization ru_PFSense

                                          1 Reply Last reply Reply Quote 0
                                          118 out of 175
                                          • First post
                                            118/175
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received