SquidGuard Package Help on 2.3.1
-
I have an SG-2440 freshly updated to 2.3.1 from 2.2.x. I never installed Squid or SquidGuard on 2.2.x, so this is new for 2.3.1. for me. I've installed the SquidGuard package and configured it to block a domain, but when I start it it just stops immediately. My question is, do I have to also install the Squid Package to make this work? I don't need caching or anything like that, I just want to block some domains from certain hosts. What's the cleanest way to do this?
Thanks!
-
squidGuard is a helper application that gets called by squid for every URL being parsed, so yes you do need squid for squidGuard to work. Domain blocking can be done many ways, like squid blacklists, squidGuard, pfBlockerNG, DNS overrides, host files on the client…
-
Thanks. I did notice that squid does get installed when I install the SquidGuard package, but it doesn't appear in the GUI. Perhaps that's a bug?
I'll try it again by installing squid first this time. I was also under the impression that pfBlockerNG only blocked by Country or IP not domain name. I'll have to give that a try also.When setting up squid if I only really need the SquidGuard domain blocking features, how should I set it up to that it doesn't waste disk space with caching? Or, is that a requirement?
-
but it doesn't appear in the GUI. Perhaps that's a bug?
I've never installed in that order so I don't know. In the GUI, look under Services - Squid Proxy Server.
how should I set it up to that it doesn't waste disk space with caching? Or, is that a requirement?
In squid settings, set your Hard Disk Cache Size to 0 or 1 (whichever is smallest that it will accept), and set the Hard Disk Cache System to null.
-
Thanks! It looks like it's working now.
One question though…
Is there a way to enable transparent proxy only for certain hosts or IPs and not an entire subnet? -
Thanks! It looks like it's working now.
One question though…
Is there a way to enable transparent proxy only for certain hosts or IPs and not an entire subnet?Yes, just read the options described in the Proxy GUI. There is one for source and one for destination IPs:
"Bypass Proxy for These Source IPs". So just enter the IPs which should bypass the Proxy.One thing to add to pfblockerNG. In the first versions it was just to block IPs from countries and so on. But there was a feature improvement which ist called "DNSBL". With this option you can add lists which contain domains. So when a client in your network asks for the IP of a domain in this list the client gets back a "fake IP" and so the request will not rechts its destination. The request will be redirected to a webserver running on pfsense which helps you to log the requests and to analyze which client wanted to connect to a blocked domain.
So from its functionality it is equal in some parts with squid / squidguard. But with squidguard you have some more options. DNSBL can only block an entire domain. with squid / squidguard you can block a specific URL. So you can allow e.g. www.google.com but block www.google.com/ads/ for example. DNSBL can only block the entire domain.
But on the other site with DNSBL you do not have to worry about Certificats on the clients, you don't have to worry about if the client is capable of using a proxy or if all applications are working with proxy. With DNSBL you only have to make sure that the client uses the pfsense DNS and not some public DNS like googl's 8.8.8.8.
So there are pros and cons.
PS:
squid: set the hard disk size to 0 and this will disable Hard disk caching. Disabling RAM caching is not possible but you can set the amount of RAM and the file size to values which make it impossible to cache something or at least don't cache too much.Regards
-
Yes, just read the options described in the Proxy GUI. There is one for source and one for destination IPs:
"Bypass Proxy for These Source IPs". So just enter the IPs which should bypass the Proxy.Thanks. I did notice that option, but I didn't see anything there I could say "Proxy only these IP and nothing else". The way it currently is, I'd have to enter many IPs as I only want to proxy about 3 IPs right now. Is there a way to do it the way I need it?
Thanks for the info about pfBlockerNG. I ended up looking into and and seeing that you need to use the pfsense DNS server which doesn't work in my case, so that option was out. :)
–Steve
-
Is there a way to enable transparent proxy only for certain hosts or IPs and not an entire subnet?
I don't use transparent mode due to the hassles with HTTPS and client certificates. I use a combination of explicit mode, WPAD and firewall rules.
-
You can create an alias which includes your complete Subnet instead of the three hosts you want to use the proxy. Then add this alias to "bypass source IPs".
Or you switch to the non-transparent proxy like KOM said. Just enable the proxy and only configure the proxy for the specific clients.
All other clients on the subnet will not know about the proxy and so will not use it. As long as you have configured the correct firewall rules the clients which should bypass the proxy will bypass it until they manually configure it in their browser. -
You can create an alias which includes your complete Subnet instead of the three hosts you want to use the proxy. Then add this alias to "bypass source IPs".
Or you switch to the non-transparent proxy like KOM said. Just enable the proxy and only configure the proxy for the specific clients.
All other clients on the subnet will not know about the proxy and so will not use it. As long as you have configured the correct firewall rules the clients which should bypass the proxy will bypass it until they manually configure it in their browser.I don't see how I can make an alias with some excluded IPs. For example, my LAN subnet is 192.168.1.0/24 and I only want to proxy 192.168.1.53, 192.168.1.72, and 192.168.1.83. It looks like when I go to make an alias it doesn't allow exclusions for IPs. Am I missing something? :)
Also, I was originally going to use the non-transparent proxy, but my devices that I'm trying to block things on, don't support proxy configurations, so I was forced to go the transparent route. ::)
-
I don't see how I can make an alias with some excluded IPs.
Firewall - Aliases - IP - +.
Name: Proxy Clients
Description: Blah
Type: Host(s)
Hosts: add your IP addresses here, click + for each new host, Save to save.but my devices that I'm trying to block things on, don't support proxy configurations
What device is this we're talking about?
-
@KOM:
Firewall - Aliases - I****P - +.
Name: Proxy Clients
Description: Blah
Type: Host(s)
Hosts: add your IP addresses here, click + for each new host, Save to save.The problem is when I go over to Services -> Squid Proxy Server -> Transparent Proxy Settings -> Bypass Proxy for These Source IPs, I don't see a way to make it work. If I put in my alias there, then it would only bypass the proxy for my 3 IP addresses. I want to do the opposite. I'm not sure how to negate the Alias if there is a way. (I have a feeling I'm missing something obvious that you are trying to point me to. :-\ :o ) Is there a way to negate the Alias?
What device is this we're talking about?
So far I'm trying to do some blocking on some Roku devices and Android cell phones. (I know the cell phones support proxy configs, but the Roku devices don't unfortunately.)
-
Oh, OK. I misunderstood what you wanted.
This would be so much easier with explicit proxy. Use firewall rules to block TCP access via 80/443. Configure WPAD to help devices auto-detect the proxy. Add a rule above your 80/443 block rule to allow devices like the Roku to go straight out. Done.
-
That's not quite what I wanted. :)
It's the 3 Roku's that I want to be transparently proxied and nothing else.Let's say that I have an Alias containing the 3 Rokus called "Rokus". I haven't put any firewall rules related to the proxy. Are you saying that I can have an allow rule for "NOT Rokus" allowing those IPs out and just block the "Rokus" alias on TCP 80/443 and it will just work?
I guess I'm not understanding how the transparent proxy is tied into the firewall rules. I thought If I had a rule allowing a host to go out from the LAN, then the transparent proxy would just "transparently" work and if I deny a host, then the proxy would just not work because the host is blocked.
-
You can create an alias which includes your complete Subnet instead of the three hosts you want to use the proxy. Then add this alias to "bypass source IPs".
Or you switch to the non-transparent proxy like KOM said. Just enable the proxy and only configure the proxy for the specific clients.
All other clients on the subnet will not know about the proxy and so will not use it. As long as you have configured the correct firewall rules the clients which should bypass the proxy will bypass it until they manually configure it in their browser.I don't see how I can make an alias with some excluded IPs. For example, my LAN subnet is 192.168.1.0/24 and I only want to proxy 192.168.1.53, 192.168.1.72, and 192.168.1.83. It looks like when I go to make an alias it doesn't allow exclusions for IPs. Am I missing something? :)
Also, I was originally going to use the non-transparent proxy, but my devices that I'm trying to block things on, don't support proxy configurations, so I was forced to go the transparent route. ::)
I don't know if you are thinking to complicated or if I am missing something.
You want all clients of subnet 192.168.1.0/24 to NOT use the proxy but only these three IPs: 192.168.1.53 , .72 and .83So what I did I created an Alias which includes all IPs of the subnet BUT not the three single IPs.
To make it more clear for you I added a screenshot.Regards
-
Thank you! I see now. I didn't even think about doing it that way. I was picturing some kind of alias that has an exclusion of 3 IPs instead of the inclusion of multiple ranges.
Not that I need to do this, but what if I wanted to proxy based on the 3 DNS host names instead of the IPs. Do you have a cool way to do that? :D
-
(…)
Not that I need to do this, but what if I wanted to proxy based on the 3 DNS host names instead of the IPs. Do you have a cool way to do that? :DIf you know the FQDN of all other clients, then just put these clients into the alias. But to be honest. Because you can do it it is not always the best way to do this. In the thread there are mentioned other possibilities like WPAD and so on.
Other ways are to configure DHCP with static entries so that the three clients will always get the same IP address. This will make things easier.
Good luck!
