Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why select "allow" rather than "–-" in squidguard ACLs?

    Cache/Proxy
    1
    1
    364
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sanjoy
      last edited by

      This seems like a newbie question because it is from one! It's about ignoring, allowing, denying or whitelisting ACLs in squidguard.

      I checked the documentation at https://doc.pfsense.org/index.php/SquidGuard_package#Basic_configuration which says:

      Select –-, to ignore a category.
          Select allow, to allow this category for clients.
          Select deny, to deny this category for clients.
          Select white, to allow this category without any restrictions. This option is used for exceptions to prohibited categories.

      While searching this forum, I also found a very informative link http://diskatel.narod.ru/sgquick.htm. It is dead now but an old snapshot can be seen at https://web.archive.org/web/20130307065712/http://diskatel.narod.ru/sgquick.htm. This page says:

      Select ‘deny’ or ‘allow’ for enabling/disabling access to you sites. If leaving ‘–-‘, then access to this (and other all) sites will be by ‘Default access’ rule settings.

      Further down below, it adds:

      Each rule item (exclude last) can be set as:
      ‘–-‘ – rule item not used for this ACL, 
      ‘allow’ – access allowed, exclude filtered by ‘deny’ rules,
      ‘white’ – whitelist, access have hi priority (before the ‘deny’ rules too); used if need unlock access to url, blocked in ‘deny’ rules.
      ‘deny’ – access blocked for this item.

      From the above information, I can understand that we can use "–-" to just ignore the items, "deny" to block items and "white" to always allow items even they appear in one of the "deny" categories.

      The "allow" option is supposed to allow access if not blocked by "deny" option elsewhere. Please clarify why can't we just leave it at the default "---" instead of requiring to change it to "allow"? By leaving it at "---" the rule will be ignored at that point and will be allowed anyways if the last (default) rule is "allow".

      So my question is when do we actually need to set items to "allow" because leaving it as "–-" will not serve the purpose. What am I missing? An illustrative example would be appreciated.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.