Squidguard… problems and questions

MTHead

pass !in-addr all < You Allowed ALL - nothing to block.
squidGuard supported White and Black list's, so you should use Left checkboxes for selecting 'rule' (from blacklist or self) and check 'deny access' checkbox (in right) for deny access for this rule.
In you situation for full blocking need  check 'Deny access' in 'All' rule.

Sorry, I should have posted a screenshot - the .conf file I posted WAS the result of (I'm not in the office to make a screenshot, so here's a text picture):

[x] [blk_BL_adv]            [x] deny 
...
[x] [blk_BL_webtv]          [x] deny 
[x] Default access [all]    [ ] deny

So let me rephrase my question:  I thought that the following line from the .conf : "pass !in-addr all"
meant "pass all traffic EXCEPT what matches the categories I've checked off"

1 - if that's not what it means, what DOES it mean?
2 - what would a rule look like that DID mean what I want?
3 - what sequence of checkboxes would generate that rule?
4 - can I just ignore the GUI and edit the .conf directly - if I did, would my changes be overridden?

A little background - the main thing I'm trying to block is social-networking sites.  The girls at the front desk have been spending all their time on MySpace, sometimes ignoring patients…  but I do need them to have access to Google, WebMD, etc.  I'd also like to block ads.  So right now I have my own blacklist (myspace.com, facebook.com, adrevolver.com, etc.) loaded into the Squid access control page, and Squidguard is disabled until I can figure this out.

Once it's working, I'd also like to set:
  times - I'm OK with MySpace after hours and at lunchtime
  ACLs  - the doctors' computers should have no restrictions except ads and spyware.  (One of the doctors loves porn - what can I say?)

But those can wait until I actually get the Default rule working: to block forbidden traffic while passing legal traffic.

To clarify my understanding of Times:

What is the relation between Times and "uptime" and "overtime"?

Uptime - range of time defined by you. Uptime - all other time - outside of this range.

So I should ONLY define one Time - let's call it BusinessHours, 08:00-18:00 Monday-Friday.  Any moment that falls inside of that Time - for example, 09:30 on Wednesday - is "uptime", and any moment that falls outside - like midnight on Thursday - is "overtime".  Am I correct?
Can I define a Time - call it LunchTime - that falls inside of BusinessHours, when things are allowed that would otherwise be blocked?

Sorry to be so obtuse - I definitely appreciate the help.
Thanks!

dvserg

I looking config and see, what you not configure you SG. For this scheme

[blk_BL_adv]            [x] deny

[blk_BL_webtv]          [x] deny

Default access [all]    [ ] deny

must have config

pass !in-addr !blk_BL_adv !blk_BL_webtv all<
After end configuration you SG, you must press APPLY button on general page.
This generated new config and started squid & SG with new options.
–-

meant "pass all traffic EXCEPT what matches the categories I've checked off"

[blk_BL_webtv]    [ ] deny ) - this will be 'white list' -> selected category will allowed.

4 - can I just ignore the GUI and edit the .conf directly - if I did, would my changes be overridden?

Yes, you can, but new GUI Apply will rewrite you config (use for edit /usr/local/etc/squid/squidGuard.conf)

A little background - the main thing I'm trying to block is social-networking sites

I have the same problem. You can use self Destination for block optional sites. For blocking banners and ads i use expressions 'ads|banner|banners|reclama …'.

Once it's working, I'd also like to set:
  times - I'm OK with MySpace after hours and at lunchtime

Use this way:

• Default page –> Deny All (full blocking)
• Create Time
• Create ACL with time and define rules what do or not do at time and overtime
• ACL's order-based. If you want define ACL 'For-All' and add 'VIP':
  -- you must move 'For-All' ACL at the last order (Source for example '10.0.0.0/24' you subnet)
  -- 'VIP' ACL (Source for example '10.0.0.25') move before 'For-All' ACL
  -- NOTE - you have Default '[x]All–-[x]deny'

–-
About Times:
You can adding several items in one 'Time' rule. This is give any possible variant foor you need's.
For example you want define time for Monday-Friday 8:00-18:00, exclude LunchTime (12:00-13:00). This possible with short ranges:
Type    |Days|date|time
[weekly][mon]–-[08:00-12:00]
[weekly][mon]–-[13:00-18:00]
[weekly][tue ]–-[08:00-12:00]
[weekly][tue ]–-[13:00-18:00]
[weekly][wed]–-[08:00-12:00]
[weekly][wed]–-[13:00-18:00]
[weekly][thu ]–-[08:00-12:00]
[weekly][thu ]–-[13:00-18:00]
[weekly][fri   ]–-[08:00-12:00]
[weekly][fri   ]–-[13:00-18:00]

All, what included in this ranges - uptime, and any other - overtime (excluded from ranges)

PS Sorry for my english. I'm not resident this language.

wompy

@Monoecus:

I had for a long time similar problems with squidGuard like you. However, now it is working fine. My two cents:

• Go exactly through the http://diskatel.narod.ru/sgquick.htm help.
• Use the Shallalist
• Then deny access to all, just to test.

Now, if you browse the web, every page should be blocked.

If this does not work, go to the shell and type 'more /var/squid/log'

If you see some errors when loading the blacklist, like 'permission denied' or something you have to fix the permissions of the blacklist.

In order to do that I just typed ' chown -R proxy:proxy /var/squidGuard' (This tip comes from http://meadvillelibrary.org/os/filtering/squidGuard-install.html)

After that, everything worked fine.

+1
this helped alot. I was having the same problem that nothing was being blocked. I tried reinstalling squidguard and not uploading any blacklist. I set it to deny all and sure enough it worked. I then uploaded the suggested blacklist and it would not block anything. I followed your advice and checked the log and there were permission problems. To fix mine thought I also had to:
chown -R proxy:proxy /var/db/squidGurad
Now everything works perfectly.

dvserg

@wompy:

I followed your advice and checked the log and there were permission problems. To fix mine thought I also had to:
chown -R proxy:proxy /var/db/squidGurad
Now everything works perfectly.

Thanks, i testing this problem.

hinze57

I am not a programmer, but would like to help if I can. I have been using URLFilter <http: urlfilter.net="">which I have running on IPCOP and looking to see how difficult it'd be to port over to pfsense.  It is all CGI for the gui config interface.  I can send screen shots if you don't have IPCOP and are interested in seeing what has been done for URLFilter.  SquidGuard is an awesome pkg and addition to pfsense, just like to see it get better.  URLFilter has some automated grabbing of the BlackLists db's and lets you choose the BlackList db you wish as well.  The interface is pretty easy as well, however the pfsense SquidGuard pkg may have more capability.

BTW, where are the php files for SquidGuard config pages?

Thanks,
KH</http:>

dvserg

I wanted rich-functional package. Easy interface in this situation non-functional  :-[

hinze57

Don't misunderstand me, I think the package is awesome.  I'm almost ready to move it into production and replace IPCOP.  URLFilter has configuration parameters to pull the blacklist daily, weekly or monthly and apply it.  I have it running very late after hours so no to disrupt anything.  There is also a nice block page which shows client IP, site trying to connect to, and category which triggered the block.

Is there a way to do the above with this SquidGuard package?

Thank you,
KH

hinze57

Okay, problem was with https. I now get a block page.

Still trying to figure out how to automatically grab new blacklist file.  I can grab via cron, but what would be the commands to reconfigure just like if pressing upload button?

KH

dvserg

@hinze57:

Okay, problem was with https. I now get a block page.

Still trying to figure out how to automatically grab new blacklist file.  I can grab via cron, but what would be the commands to reconfigure just like if pressing upload button?

KH

From GUI - nothig
You may use in you php script
php function from squidGuard.inc
sg_reconfigure_blacklist($url, $proxy);

You can create script and adding him to the cron.
…
require_once('squidguard.inc');
$url="URL";
sg_reconfigure_blacklist($url, '');
...

squid & squidGuard will restart automaticly

There is also a nice block page which shows client IP, site trying to connect to, and category which triggered the block. 
Is there a way to do the above with this SquidGuard package?

Possible in HTTP webgui & Redirect mode= 'Internal'
GUI HTTPS - know problem and expected Redirect mode='External' with you self Error-page from external www server

Test
http://youpfSense/sgerror.php?url=403%20No%20access&a=10.0.0.0&n=MyClient&i=clientUser&s=clientgroup&t=porno/sex&u=http://porno.ru&

mwdiers

I just did a clean pfSense install last night, and managed to get squidGuard running. However, this was very difficult. I had many of the same problems noted here.

It was VERY touchy. Often squidGuard would say STOPPED. The only way to make it say STARTED was to upload the blacklist again. Then, if I changed ANY setting, the filter would stop working.

For example: I uploaded the blacklist. Clicked Save. I changed default destination to:```
!all

I changed squidGuard to:```
!blk_BL_porn all
```I clicked **Apply**. Now nothing was blocked. Porn and everything else was let through. I saw squid logging the website access. I saw no errors of any kind in the squidGuard or the squid logs.

Very frustrating. I checked permissions. I tried changing /var/squidGuard to proxy:proxy (chmod -R proxy:proxy /var/squidGuard). No help.

It was very slow downloading the blacklist over and over, so I fetched it to: /var/tmp/squidGuard/hold/shallalist.tar.gz and set that path for **Blacklist URL**. That way I could just click **Upload Url**, and the DB would be processed again.

Everything works ONLY when I perform the following steps:

1) Change filter settings.
2) **Apply**.
3) Click **Upload Url**.
4) Click **Apply**.

In other words, the filter stops working every time I change a squidGuard setting. It works again if I re-process the database.

As I said, there were never any error messages, so there is nothing I can send from the logs.

wompy

I had similar problems to you, did you also change permissions to " /var/db/squidGurad" ? that is what finally fixed it for me.
see my previous post.

dvserg

Thanks!
I fix bug with '/var/db/squidGuard' right's  in installation.
Pls test.

Monoecus

I have reinstalled pfSense yesterday and could thus test your fixes for the rights. Anything seems to be ok now.

Many thanks.

hinze57

Is there a way to enable safe search?

Monoecus

What do you mean by “safe search”?

xhark

I have same problem, all is ok but nothing is filtered

dvserg

Renew package (today updated) and try now.

xhark

I delete and reinstall ?

dvserg

@xhark:

I delete and reinstall ?

Hm.. Try full reinstall :D

xhark

I talk about package ^^