Problem with Squidguard ACL's



  • I have setup Squid as transparent proxy with several unrestricted static IP's for managers etc.

    Squidguard is setup using http://squidguard.mesd.k12.or.us/blacklists.tgz as the blacklist.

    Default destination is Deny All with permitted Whitelist Destination for work related websites.

    Redirect mode = Int Error page

    I have an ACL in place that should activate between 1pm and 3pm to allow users access to things like Facebook and other social websites. In this I have the Whitelists Hosts allowed, blacklist hosts allowed (Facebook etc), default access [all] is allowed.

    Redirect mode = Int Error page

    I'm struggling to get this to work. I always get redirected to the specific error page for everything, except the whitelist hosts…

    Any idea's what I may be doing wrong ?


    Ok been looking a bit more into this.... this is what I found.

    Lets assume a simple ACL of Whitelist and Blacklist.

    Times
    12pm-8am After Hours
    8am - 13pm Office Hours
    13pm-14pm Lunch
    14pm-17pm Office Hours
    17pm-23:59pm After Hours

    I previously had 3 ACL's with the Blacklist set to allow, to give users access to Facebook  during lunch time and after hours.
    The default ACL was set to deny the Blacklist.

    I assumed that the default ACL would be used when the TIME ACL was not being used, therefor blocking users from accessing Facebook during the working hours. I found that I had to include a time based ACL for the office working hours too, with the blacklist set to deny for this to work properly.

    Am I going about this the correct way ? Should the default not be used when the afterhours/lunch ACL duration does not apply ?

    Thanks



  • Let's try the following

    • if you use ACL's: set Default page: Default access [all] = deny, and forget about this page forever. You must use ACL only.
    • Time range mast have format lower-high: 08:00-12:00, 00:00-11:00.
      Not valid 23:00-8:00, must be 2 range 00:00-8:00 and 23:00-23:59 (or 24:00 - check this ps)
    • Allso pls look here: http://diskatel.narod.ru/sgquick.htm


  • @dvserg:

    Let's try the following

    • if you use ACL's: set Default page: Default access [all] = deny, and forget about this page forever. You must use ACL only.
    • Time range mast have format lower-high: 08:00-12:00, 00:00-11:00.
      Not valid 23:00-8:00, must be 2 range 00:00-8:00 and 23:00-23:59 (or 24:00 - check this ps)
    • Allso pls look here: http://diskatel.narod.ru/sgquick.htm

    Under TIMES tab my 5 entries are not in order from lower to higher, however, under Destinations tab, those ACL's are specified lower to higher according to the time. Will this affect the rules or does the order of the TIME tab entries not matter ?

    Ran some testing and currently it doesn't work. When testing a deny rule, only the top Destination ACL works. It is 3pm now and when I tested the application it used the 12-13pm rule.



  • Possible view you SG conf file?



  • Here it is ….

    ============================================================

    SquidGuard configuration file

    This file generated automaticly with SquidGuard configurator

    (C)2006 Serg Dvoriancev

    email: dv_serg@mail.ru

    ============================================================

    logdir /var/squidGuard/log
    dbhome /var/db/squidGuard

    Midnight to start of work 00:00 - 08:29

    time Session_1 {
            weekly * 00:00-08:29
    }

    Morning to Lunch 08:30 - 13:00

    time Session_2 {
            weekly * 08:30-13:00
    }

    Lunch Full Access 13:01 - 13:45

    time Session_3 {
            weekly * 13:01-13:45
    }

    End of Lunch to End of work day 13:46 - 16:30

    time Session_4 {
            weekly * 13:46-16:30
    }

    After Hours 16:31 - 23:59

    time Session_5 {
            weekly * 16:31-23:59
    }

    ACL1 => Session 1 => Full Access to Restricted content => 00:00 - 8:30am

    src ACL_1 {
            ip     192.168.57.0/24
    }

    ACL2 => Session 2 => Restricted Access, Whitelist Only => 8:31am - 13:00pm

    src ACL_2 {
            ip     192.168.57.0/24
    }

    ACL3 => Session 3 => Full Access to Restricted content => 13:01pm - 13:45pm

    src ACL_3 {
            ip     192.168.57.0/24
    }

    ACL4 => Session 4 => Restricted Access, Whitelist Only => 13:46pm - 16:30pm

    src ACL_4 {
            ip     192.168.57.0/24
    }

    ACL5 => Session 5 => Full Access to Restricted content => 16:31pm - 23:59pm

    src ACL_5 {
            ip     192.168.57.0/24
    }

    dest blk_blacklists_ads {
            domainlist blk_blacklists_ads/domains
            urllist blk_blacklists_ads/urls
            log block.log
    }

    dest blk_blacklists_aggressive {
            domainlist blk_blacklists_aggressive/domains
            urllist blk_blacklists_aggressive/urls
            log block.log
    }

    dest blk_blacklists_audio-video {
            domainlist blk_blacklists_audio-video/domains
            urllist blk_blacklists_audio-video/urls
            log block.log
    }

    dest blk_blacklists_drugs {
            domainlist blk_blacklists_drugs/domains
            urllist blk_blacklists_drugs/urls
            log block.log
    }

    dest blk_blacklists_gambling {
            domainlist blk_blacklists_gambling/domains
            urllist blk_blacklists_gambling/urls
            log block.log
    }

    dest blk_blacklists_hacking {
            domainlist blk_blacklists_hacking/domains
            urllist blk_blacklists_hacking/urls
            log block.log
    }

    dest blk_blacklists_mail {
            domainlist blk_blacklists_mail/domains
            log block.log
    }

    dest blk_blacklists_porn {
            domainlist blk_blacklists_porn/domains
            urllist blk_blacklists_porn/urls
            log block.log
    }

    dest blk_blacklists_proxy {
            domainlist blk_blacklists_proxy/domains
            urllist blk_blacklists_proxy/urls
            log block.log
    }

    dest blk_blacklists_redirector {
            domainlist blk_blacklists_redirector/domains
            urllist blk_blacklists_redirector/urls
            log block.log
    }

    dest blk_blacklists_spyware {
            domainlist blk_blacklists_spyware/domains
            urllist blk_blacklists_spyware/urls
            log block.log
    }

    dest blk_blacklists_suspect {
            domainlist blk_blacklists_suspect/domains
            urllist blk_blacklists_suspect/urls
            log block.log
    }

    dest blk_blacklists_violence {
            domainlist blk_blacklists_violence/domains
            urllist blk_blacklists_violence/urls
            log block.log
    }

    dest blk_blacklists_warez {
            domainlist blk_blacklists_warez/domains
            urllist blk_blacklists_warez/urls
            log block.log
    }

    dest Whitelist_Hosts {
            domainlist Whitelist_Hosts/domains
    }

    dest Blacklist_Hosts {
            domainlist Blacklist_Hosts/domains
    }

    dest User_requests {
            domainlist User_requests/domains
    }

    rew safesearch {
            s@(google../search?.q=.)@\1&safe=active@i
            s@(google..
    /images.q=.)@\1&safe=active@i
            s@(google../groups.q=.)@\1&safe=active@i
            s@(google..
    /news.q=.)@\1&safe=active@i
            s@(yandex../yandsearch?.text=.)@\1&fyandex=1@i
            s@(search.yahoo..
    /search.p=.)@\1&vm=r@i
            s@(search.live../.q=.)@\1&adlt=strict@i
            s@(search.msn..
    /.q=.)@\1&adlt=strict@i
            log block.log
    }

    acl  {
            # ACL1 => Session 1 => Full Access to Restricted content => 00:00 - 8:30am
            ACL_1  within Session_1 {
                    pass !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_ads blk_blacklists_aggressive blk_blacklists_audio-video blk_blacklists_mail Whitelist_Hosts Blacklist_Hosts User_requests none
                    redirect http://192.168.57.250:4000/sgerror.php?url=403 401 Unauthorized access to URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
                    } else {
                    pass none
                    redirect http://192.168.57.250:4000/sgerror.php?url=403 401 Unauthorized access to URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
            }
            # ACL2 => Session 2 => Restricted Access, Whitelist Only => 8:31am - 13:00pm
            ACL_2  within Session_2 {
                    pass !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_mail !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez !Blacklist_Hosts Whitelist_Hosts User_requests none
                    redirect http://192.168.57.250:4000/sgerror.php?url=403 401 Unauthorized access to URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
                    } else {
                    pass none
                    redirect http://192.168.57.250:4000/sgerror.php?url=403 401 Unauthorized access to URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
            }
            # ACL3 => Session 3 => Full Access to Restricted content => 13:01pm - 13:45pm
            ACL_3  within Session_3 {
                    pass !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_ads blk_blacklists_aggressive blk_blacklists_audio-video blk_blacklists_mail Whitelist_Hosts Blacklist_Hosts User_requests none
                    redirect http://192.168.57.250:4000/sgerror.php?url=403 401 Unauthorized access to URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
                    } else {
                    pass none
                    redirect http://192.168.57.250:4000/sgerror.php?url=403 401 Unauthorized access to URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
            }
            # ACL4 => Session 4 => Restricted Access, Whitelist Only => 13:46pm - 16:30pm
            ACL_4  within Session_4 {
                    pass !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_mail !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez !Blacklist_Hosts Whitelist_Hosts User_requests none
                    } else {
                    pass none
                    redirect http://192.168.57.250:4000/sgerror.php?url=403 401 Unauthorized access to URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
            }
            # ACL5 => Session 5 => Full Access to Restricted content => 16:31pm - 23:59pm
            ACL_5  within Session_5 {
                    pass !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_ads blk_blacklists_aggressive blk_blacklists_audio-video blk_blacklists_mail Whitelist_Hosts Blacklist_Hosts User_requests none
                    redirect http://192.168.57.250:4000/sgerror.php?url=403 401 Unauthorized access to URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
                    } else {
                    pass none
                    redirect http://192.168.57.250:4000/sgerror.php?url=403 401 Unauthorized access to URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
            }
            #
            default  {
                    pass !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_mail Whitelist_Hosts User_requests none
                    redirect http://192.168.57.250:4000/sgerror.php?url=403 401 Unauthorized access to URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
                    log block.log
            }
    }
    (END)

    After posting this I set the default ACL Access[All] to Deny

    I noticed when testing the error I receive everytime at the moment is …
    Client address: 192.168.57.25
    Client group: ACL_1
    Target group: none
    URL: http://www.sex.com/

    Always ACL_1 which should only be active between 00:00 and 08:30am.

    I'm wondering if this has something to do with the redirects.

    Thanks



  • Pls read this http://diskatel.narod.ru/sgquick.htm
    You dont right use and understood ACL. ACL select clients by Source; time only divide ruleset to on-time and over-time.



  • Ah I think I found the problem/problems now.

    I also made things a bit more complex with trying to use 5 ACL's when I could have used one with many time rules.

    Made a single ACL

    Defined office hours

    In the ACL I permmited whitelist for office hours with Default access [all] Deny. In "Overtime" I set Default access [all] Allow, but blocked categories like porn etc.

    Also found another thread on the forums, which was very helpfull. http://forum.pfsense.org/index.php?topic=8417.msg47233

    I'll test this during the day, if it doesn't work then I'll go do some more reading :)

    Tx.



  • Basic error - use several ACL with same or overlapping Source setting.
    Will used only one - first by order (© Highlander)


Log in to reply