Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking access to all unneeded sites - a firewall or Squidguard?

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 4 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      smbsmb
      last edited by

      Please help me to solve this problem:
      Workers in our office should have access only to 10-12 sites (for work),
      their ACL of these DNS-domains can easily be wtitten.
      However, some workers should have access to all sites, by personal password.
      The access control cannot be done by ip-addresses,
      only by login-passwords, because computers are really not so "personal".

      What is the right way to do it:
      1.  To setup transparent squid+squidguard, and PPPoE(or PPTP) server.
      Users without auth will have limited access,
      users with auth - will have full access.
      Is it possible to setup a transparent proxy,
      which will not intercept traffic from PPPoE(or PPTP) users?

      2. To setup firewall rules for thess sites, and PPPoE(or PPTP) server.
      The rules will be more safe, because will block not only http to unneeded, but
      will block all protocols.
      However, there can be problems, if some site's IP-addresses will change

      • I should always correct the rules in this case.
        AFAIK, it is possible to define different sets of rules,
        for NAT and PPPoE(or PPTP) connections(users)?

      Is these a better way to do this site-blocking?

      1 Reply Last reply Reply Quote 0
      • R
        rocky
        last edited by

        Firewall: can block all sites by default, except some sites; doesnot support users auth.

        Squid: allow all sites by default, block some specified sites; supports users auth. The transparent proxy is only effect on the port 80.

        SquidGuard: allow you to block anysites except some sites; doesnot support users auth.

        I think you should use Captive Portal (Auth. via MacAdress / Users + Squid + SquidGuard):

        Good luck

        1 Reply Last reply Reply Quote 0
        • S
          smbsmb
          last edited by

          Thank for for the answer, but I still can't setup what I need.
          I'd like to have the following:

          • access allowed from all computers to "good sites" without authentication

          • access denied from all computers to "bad sites" (using transparent squid proxy)

          • access allowed from a computer, when "the chief" authenticates by one of the methods:

          • temporarily configures a Web browser to use a proxy, it ask login/password,
                after auth he has access to ALL sites.
                Does squid support combining transparent and non-transparent modes?

          • connects to PFsense using PPPoE or PPtP by his login/password,
              and has access to ALL sites.
              Is the Squid configuration possible, to not intercept connections from PPPoE/PPtP serveices,
                of to intercept, but not to filter them?

          AFAIK "Captive portal" cannot help me on this case.

          1 Reply Last reply Reply Quote 0
          • J
            jtpagaran
            last edited by

            I personally suggest firewall and squid for this situation. I have this kind of set up where in casual internet users are filtered by squid ACL and whitelist "boss" ip addreses so that they have full internet access. It is also desirable to have a mac to ip mapping so that users cannot "easily by pass your squid rule by setting/guessing for static IP's that are whitelisted in squid ACL.

            Cheers.

            1 Reply Last reply Reply Quote 0
            • S
              smbsmb
              last edited by

              The same question, with additions.

              Is there a way to use the thansparent proxy with a blacklist
              not for all users of my office network?
              For example, a chief and some managers has access to all sites,
              but others have the blacklist of sites.

              Also, is there a way for this blacklist to be time-specific,
              for example - during lunch time (13:00-14:00) all users
              can visit all sites (Let them get fun insted of lunch if they want)? Smile

              The problems is that the managers don't have their personal PCs,
              the use PCs shared with other users.

              Can VPN Service solve this problem?
              For example, my users could work without VPN - and get blacklist,
              but the managers can login to this VPN and work without blacklists…. ?

              1 Reply Last reply Reply Quote 0
              • P
                phospher
                last edited by

                @smbsmb

                god am i happy i don't work for you.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.