Blocking access to all unneeded sites - a firewall or Squidguard?

  • Please help me to solve this problem:
    Workers in our office should have access only to 10-12 sites (for work),
    their ACL of these DNS-domains can easily be wtitten.
    However, some workers should have access to all sites, by personal password.
    The access control cannot be done by ip-addresses,
    only by login-passwords, because computers are really not so "personal".

    What is the right way to do it:
    1.  To setup transparent squid+squidguard, and PPPoE(or PPTP) server.
    Users without auth will have limited access,
    users with auth - will have full access.
    Is it possible to setup a transparent proxy,
    which will not intercept traffic from PPPoE(or PPTP) users?

    2. To setup firewall rules for thess sites, and PPPoE(or PPTP) server.
    The rules will be more safe, because will block not only http to unneeded, but
    will block all protocols.
    However, there can be problems, if some site's IP-addresses will change

    • I should always correct the rules in this case.
      AFAIK, it is possible to define different sets of rules,
      for NAT and PPPoE(or PPTP) connections(users)?

    Is these a better way to do this site-blocking?

  • Firewall: can block all sites by default, except some sites; doesnot support users auth.

    Squid: allow all sites by default, block some specified sites; supports users auth. The transparent proxy is only effect on the port 80.

    SquidGuard: allow you to block anysites except some sites; doesnot support users auth.

    I think you should use Captive Portal (Auth. via MacAdress / Users + Squid + SquidGuard):

    Good luck

  • Thank for for the answer, but I still can't setup what I need.
    I'd like to have the following:

    • access allowed from all computers to "good sites" without authentication

    • access denied from all computers to "bad sites" (using transparent squid proxy)

    • access allowed from a computer, when "the chief" authenticates by one of the methods:

    • temporarily configures a Web browser to use a proxy, it ask login/password,
          after auth he has access to ALL sites.
          Does squid support combining transparent and non-transparent modes?

    • connects to PFsense using PPPoE or PPtP by his login/password,
        and has access to ALL sites.
        Is the Squid configuration possible, to not intercept connections from PPPoE/PPtP serveices,
          of to intercept, but not to filter them?

    AFAIK "Captive portal" cannot help me on this case.

  • I personally suggest firewall and squid for this situation. I have this kind of set up where in casual internet users are filtered by squid ACL and whitelist "boss" ip addreses so that they have full internet access. It is also desirable to have a mac to ip mapping so that users cannot "easily by pass your squid rule by setting/guessing for static IP's that are whitelisted in squid ACL.


  • The same question, with additions.

    Is there a way to use the thansparent proxy with a blacklist
    not for all users of my office network?
    For example, a chief and some managers has access to all sites,
    but others have the blacklist of sites.

    Also, is there a way for this blacklist to be time-specific,
    for example - during lunch time (13:00-14:00) all users
    can visit all sites (Let them get fun insted of lunch if they want)? Smile

    The problems is that the managers don't have their personal PCs,
    the use PCs shared with other users.

    Can VPN Service solve this problem?
    For example, my users could work without VPN - and get blacklist,
    but the managers can login to this VPN and work without blacklists…. ?

  • @smbsmb

    god am i happy i don't work for you.

Log in to reply