Squidguard Web Filter Issues
-
Okay, I am going to give this a go and see how things turn out.
The one thing I am having a hard time wrapping my head around is this: if I want access blocked to all sites except a few, how am I to possibly write down every IP or domain that a user could access? Wouldn't I be working on the list all day since there are seemingly an infinite amount of websites out there? ???
Do not try to BLOCK all sites which you would not like to allow. Try it the other way:
Just allow the sites you would like the users should access.
This is exactly what my scenario above describes. The "default access" is what you describe as "all sites". This describes all sites for which you have no special rule. -
I am going to try this first thing in the morning. I will post an update as soon as I've had a chance to implement the changes.
-
Before I implement this.. I thought that under the "Proxy Server" tab, I would leave the interface untouched because it technically applies to LAN and WAN, as it is supposed to block incoming and outgoing traffic. Am I wrong with this.. should I select only one?
I am excited to try this new configuration. :)
-
Aehm…just apply it on your LAN interface(s).
It makes no sense (for me) to use it on WAN interface because the firewall blocks by default everything from WAN.
If you try to block google.com it would not make any sense to apply this on the WAN interface.
So in short: In proxy server just use your LAN interface(s).
-
Ah! That part makes perfect sense now.
The last thing I am stuck on (at the moment) is in the proxy server settings.. I have no idea what port to make the proxy listen in on. Should it be the default 80 or 8080? Or something else? Also, it will not let me enter a valid log file directory. I am on a windows machine and it seems to be requesting a Linux based path. Is there a way around this?
Thanks again for your expertise and kindness. I really appreciate it! :D
-
Hi,
if squid is running in "transparent mode" there is no need for you to enter a port (or better it will not use the port you have entered). SQUID is automatically listening on port 80 because this is the only port SQUID can cache/log ind transparent mode.
If you are running squid in non-transparent mode, than you can chose nearly any port you like. The default squid port is 3128. In general there is no need to change this port.
But if you are running squid in non-transparent mode, than you will have to enter the proxy server address on EVERY client machine.
If you did not enter this ip in the clients browser, then the client will not use the proxy and bypass the proxy. This will make it absolutley necessary that you will block all other connections not going directly to your squid. The only way for you LAN clients to go to the internet (www.google.com) must be this way:LAN-Client –-> Proxy (IP:port) ---> www.google.com
It must not be:
LAN-Client ---> www.google.comIf your clients are running in an ActiveDirectory (AD) then you can push the proxy setting via GPO. If not, you have to do this by hand.
Log-Path:
The log path of squid is:
/var/squid/logs
on your pfsense machine. You cannot redirect this logs on a windows machine (as far as I know) and it makes no sense. If you would like to have a look at the logs, just use the "lightsquid" package and you can analyze your squid logs from pfsense webGUI. -
I finally was able to implement all the changes you suggested. I went to a client computer which was supposed to have limited access and it is still not working. I'm not sure if this is due to my little understanding of this proxy or what. I am at a loss of what to do at this point. ???
The workstation is still able to access websites in which are blocked by default. I am very confused.
-
You are sure what you clients browse sites via proxy ?
Define proxy directly in clients browser and check access again. -
I guess I'm not sure, to be honest.
I wanted it sat up so the users didn't have to do anything, such as type in a proxy address. Won't they have to do it everytime they log in or something? The users at my job are NOT technically inclined AT ALL. I'm starting to feel as though I don't know enough to set this up.
What do I need to do to understand this properly? Is it even going to be possible to get this working at this point with my level of understanding?
-
I guess I'm not sure, to be honest.
I wanted it sat up so the users didn't have to do anything, such as type in a proxy address. Won't they have to do it everytime they log in or something? The users at my job are NOT technically inclined AT ALL. I'm starting to feel as though I don't know enough to set this up.
What do I need to do to understand this properly? Is it even going to be possible to get this working at this point with my level of understanding?
Now the question of efficiency filter. Please do as I wrote above, and check his work.
-
Okay.. I tried this but I'm still doing something wrong.
I'm not sure if I have the wrong proxy address or the wrong port.. I thought I entered the port I chose the proxy to listen to (3128) but that didn't work. Nor did port 8080 or 80. I must have the proxy address wrong. But if that isn't right I guess I don't know how else to find it.
Unless my proxy filter settings are somehow messed up?
I tried manually configuring the proxy in Mozilla Firefox.. and after I applied it no matter what site I chose, it wouldn't connect to any of them. At the bottom of the browser it just said "Connecting to ______.com" and then it would time out. :(
Sorry for being so inexperienced. I'm glad you folks are willing to push me in the right direction.
-
It is possible to see a screenshot of the settings of your proxy squid ? (pfsense - proxy's first page)
-
Certainly!
-
Here's the second part.
.png)
-
You have to check "Allow users on interface" so that the clients on you LAN interface are able to use the proxy.
Further you have checked "transparent proxy". This is okay. In this case you do not have to enter any proxy setting in your clients browser.
-
Okay. So now I have users allowed to interface and it is partially working.. but it is blocking all websites again, for all users. Not just the limited workstations.
I followed all previous directions and thought this would get everything. I can tell it's going in the right direction so I must have proxy filter sat up wrong somehow.. also, is there anythiing I need to do in the access control tab?
If I attach more screen shots would you be able to tell me what I'm doing wrong?
-
You could post screens of Target categories, group acl and common acl.
But I think, if all users get blocked, you have to go to "Common ACL" and check "allow" there for any target rules.
-
Here you go. Hope these help.
-
Group ACL
-
Target categories
