Why select "allow" rather than "–-" in squidguard ACLs?



  • This seems like a newbie question because it is from one! It's about ignoring, allowing, denying or whitelisting ACLs in squidguard.

    I checked the documentation at https://doc.pfsense.org/index.php/SquidGuard_package#Basic_configuration which says:

    Select –-, to ignore a category.
        Select allow, to allow this category for clients.
        Select deny, to deny this category for clients.
        Select white, to allow this category without any restrictions. This option is used for exceptions to prohibited categories.

    While searching this forum, I also found a very informative link http://diskatel.narod.ru/sgquick.htm. It is dead now but an old snapshot can be seen at https://web.archive.org/web/20130307065712/http://diskatel.narod.ru/sgquick.htm. This page says:

    Select ‘deny’ or ‘allow’ for enabling/disabling access to you sites. If leaving ‘–-‘, then access to this (and other all) sites will be by ‘Default access’ rule settings.

    Further down below, it adds:

    Each rule item (exclude last) can be set as:
    ‘–-‘ – rule item not used for this ACL, 
    ‘allow’ – access allowed, exclude filtered by ‘deny’ rules,
    ‘white’ – whitelist, access have hi priority (before the ‘deny’ rules too); used if need unlock access to url, blocked in ‘deny’ rules.
    ‘deny’ – access blocked for this item.

    From the above information, I can understand that we can use "–-" to just ignore the items, "deny" to block items and "white" to always allow items even they appear in one of the "deny" categories.

    The "allow" option is supposed to allow access if not blocked by "deny" option elsewhere. Please clarify why can't we just leave it at the default "---" instead of requiring to change it to "allow"? By leaving it at "---" the rule will be ignored at that point and will be allowed anyways if the last (default) rule is "allow".

    So my question is when do we actually need to set items to "allow" because leaving it as "–-" will not serve the purpose. What am I missing? An illustrative example would be appreciated.


Log in to reply