Problem with Squidguard ACL's
-
I have setup Squid as transparent proxy with several unrestricted static IP's for managers etc.
Squidguard is setup using http://squidguard.mesd.k12.or.us/blacklists.tgz as the blacklist.
Default destination is Deny All with permitted Whitelist Destination for work related websites.
Redirect mode = Int Error page
I have an ACL in place that should activate between 1pm and 3pm to allow users access to things like Facebook and other social websites. In this I have the Whitelists Hosts allowed, blacklist hosts allowed (Facebook etc), default access [all] is allowed.
Redirect mode = Int Error page
I'm struggling to get this to work. I always get redirected to the specific error page for everything, except the whitelist hosts…
Any idea's what I may be doing wrong ?
Ok been looking a bit more into this.... this is what I found.
Lets assume a simple ACL of Whitelist and Blacklist.
Times
12pm-8am After Hours
8am - 13pm Office Hours
13pm-14pm Lunch
14pm-17pm Office Hours
17pm-23:59pm After HoursI previously had 3 ACL's with the Blacklist set to allow, to give users access to Facebook during lunch time and after hours.
The default ACL was set to deny the Blacklist.I assumed that the default ACL would be used when the TIME ACL was not being used, therefor blocking users from accessing Facebook during the working hours. I found that I had to include a time based ACL for the office working hours too, with the blacklist set to deny for this to work properly.
Am I going about this the correct way ? Should the default not be used when the afterhours/lunch ACL duration does not apply ?
Thanks
-
Let's try the following
- if you use ACL's: set Default page: Default access [all] = deny, and forget about this page forever. You must use ACL only.
- Time range mast have format lower-high: 08:00-12:00, 00:00-11:00.
Not valid 23:00-8:00, must be 2 range 00:00-8:00 and 23:00-23:59 (or 24:00 - check this ps) - Allso pls look here: http://diskatel.narod.ru/sgquick.htm
-
Let's try the following
- if you use ACL's: set Default page: Default access [all] = deny, and forget about this page forever. You must use ACL only.
- Time range mast have format lower-high: 08:00-12:00, 00:00-11:00.
Not valid 23:00-8:00, must be 2 range 00:00-8:00 and 23:00-23:59 (or 24:00 - check this ps) - Allso pls look here: http://diskatel.narod.ru/sgquick.htm
Under TIMES tab my 5 entries are not in order from lower to higher, however, under Destinations tab, those ACL's are specified lower to higher according to the time. Will this affect the rules or does the order of the TIME tab entries not matter ?
Ran some testing and currently it doesn't work. When testing a deny rule, only the top Destination ACL works. It is 3pm now and when I tested the application it used the 12-13pm rule.
-
Possible view you SG conf file?
-
Here it is ….
============================================================
SquidGuard configuration file
This file generated automaticly with SquidGuard configurator
(C)2006 Serg Dvoriancev
email: dv_serg@mail.ru
============================================================
logdir /var/squidGuard/log
dbhome /var/db/squidGuardMidnight to start of work 00:00 - 08:29
time Session_1 {
weekly * 00:00-08:29
}Morning to Lunch 08:30 - 13:00
time Session_2 {
weekly * 08:30-13:00
}Lunch Full Access 13:01 - 13:45
time Session_3 {
weekly * 13:01-13:45
}End of Lunch to End of work day 13:46 - 16:30
time Session_4 {
weekly * 13:46-16:30
}After Hours 16:31 - 23:59
time Session_5 {
weekly * 16:31-23:59
}ACL1 => Session 1 => Full Access to Restricted content => 00:00 - 8:30am
src ACL_1 {
ip 192.168.57.0/24
}ACL2 => Session 2 => Restricted Access, Whitelist Only => 8:31am - 13:00pm
src ACL_2 {
ip 192.168.57.0/24
}ACL3 => Session 3 => Full Access to Restricted content => 13:01pm - 13:45pm
src ACL_3 {
ip 192.168.57.0/24
}ACL4 => Session 4 => Restricted Access, Whitelist Only => 13:46pm - 16:30pm
src ACL_4 {
ip 192.168.57.0/24
}ACL5 => Session 5 => Full Access to Restricted content => 16:31pm - 23:59pm
src ACL_5 {
ip 192.168.57.0/24
}dest blk_blacklists_ads {
domainlist blk_blacklists_ads/domains
urllist blk_blacklists_ads/urls
log block.log
}dest blk_blacklists_aggressive {
domainlist blk_blacklists_aggressive/domains
urllist blk_blacklists_aggressive/urls
log block.log
}dest blk_blacklists_audio-video {
domainlist blk_blacklists_audio-video/domains
urllist blk_blacklists_audio-video/urls
log block.log
}dest blk_blacklists_drugs {
domainlist blk_blacklists_drugs/domains
urllist blk_blacklists_drugs/urls
log block.log
}dest blk_blacklists_gambling {
domainlist blk_blacklists_gambling/domains
urllist blk_blacklists_gambling/urls
log block.log
}dest blk_blacklists_hacking {
domainlist blk_blacklists_hacking/domains
urllist blk_blacklists_hacking/urls
log block.log
}dest blk_blacklists_mail {
domainlist blk_blacklists_mail/domains
log block.log
}dest blk_blacklists_porn {
domainlist blk_blacklists_porn/domains
urllist blk_blacklists_porn/urls
log block.log
}dest blk_blacklists_proxy {
domainlist blk_blacklists_proxy/domains
urllist blk_blacklists_proxy/urls
log block.log
}dest blk_blacklists_redirector {
domainlist blk_blacklists_redirector/domains
urllist blk_blacklists_redirector/urls
log block.log
}dest blk_blacklists_spyware {
domainlist blk_blacklists_spyware/domains
urllist blk_blacklists_spyware/urls
log block.log
}dest blk_blacklists_suspect {
domainlist blk_blacklists_suspect/domains
urllist blk_blacklists_suspect/urls
log block.log
}dest blk_blacklists_violence {
domainlist blk_blacklists_violence/domains
urllist blk_blacklists_violence/urls
log block.log
}dest blk_blacklists_warez {
domainlist blk_blacklists_warez/domains
urllist blk_blacklists_warez/urls
log block.log
}dest Whitelist_Hosts {
domainlist Whitelist_Hosts/domains
}dest Blacklist_Hosts {
domainlist Blacklist_Hosts/domains
}dest User_requests {
domainlist User_requests/domains
}rew safesearch {
s@(google../search?.q=.)@\1&safe=active@i
s@(google../images.q=.)@\1&safe=active@i
s@(google../groups.q=.)@\1&safe=active@i
s@(google../news.q=.)@\1&safe=active@i
s@(yandex../yandsearch?.text=.)@\1&fyandex=1@i
s@(search.yahoo../search.p=.)@\1&vm=r@i
s@(search.live../.q=.)@\1&adlt=strict@i
s@(search.msn../.q=.)@\1&adlt=strict@i
log block.log
}acl {
# ACL1 => Session 1 => Full Access to Restricted content => 00:00 - 8:30am
ACL_1 within Session_1 {
pass !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_ads blk_blacklists_aggressive blk_blacklists_audio-video blk_blacklists_mail Whitelist_Hosts Blacklist_Hosts User_requests none
redirect http://192.168.57.250:4000/sgerror.php?url=403%20401%20Unauthorized%20access%20to%20URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
} else {
pass none
redirect http://192.168.57.250:4000/sgerror.php?url=403%20401%20Unauthorized%20access%20to%20URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
}
# ACL2 => Session 2 => Restricted Access, Whitelist Only => 8:31am - 13:00pm
ACL_2 within Session_2 {
pass !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_mail !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez !Blacklist_Hosts Whitelist_Hosts User_requests none
redirect http://192.168.57.250:4000/sgerror.php?url=403%20401%20Unauthorized%20access%20to%20URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
} else {
pass none
redirect http://192.168.57.250:4000/sgerror.php?url=403%20401%20Unauthorized%20access%20to%20URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
}
# ACL3 => Session 3 => Full Access to Restricted content => 13:01pm - 13:45pm
ACL_3 within Session_3 {
pass !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_ads blk_blacklists_aggressive blk_blacklists_audio-video blk_blacklists_mail Whitelist_Hosts Blacklist_Hosts User_requests none
redirect http://192.168.57.250:4000/sgerror.php?url=403%20401%20Unauthorized%20access%20to%20URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
} else {
pass none
redirect http://192.168.57.250:4000/sgerror.php?url=403%20401%20Unauthorized%20access%20to%20URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
}
# ACL4 => Session 4 => Restricted Access, Whitelist Only => 13:46pm - 16:30pm
ACL_4 within Session_4 {
pass !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_mail !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez !Blacklist_Hosts Whitelist_Hosts User_requests none
} else {
pass none
redirect http://192.168.57.250:4000/sgerror.php?url=403%20401%20Unauthorized%20access%20to%20URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
}
# ACL5 => Session 5 => Full Access to Restricted content => 16:31pm - 23:59pm
ACL_5 within Session_5 {
pass !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_ads blk_blacklists_aggressive blk_blacklists_audio-video blk_blacklists_mail Whitelist_Hosts Blacklist_Hosts User_requests none
redirect http://192.168.57.250:4000/sgerror.php?url=403%20401%20Unauthorized%20access%20to%20URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
} else {
pass none
redirect http://192.168.57.250:4000/sgerror.php?url=403%20401%20Unauthorized%20access%20to%20URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
}
#
default {
pass !blk_blacklists_ads !blk_blacklists_aggressive !blk_blacklists_audio-video !blk_blacklists_drugs !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_redirector !blk_blacklists_spyware !blk_blacklists_suspect !blk_blacklists_violence !blk_blacklists_warez blk_blacklists_mail Whitelist_Hosts User_requests none
redirect http://192.168.57.250:4000/sgerror.php?url=403%20401%20Unauthorized%20access%20to%20URL&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log
}
}
(END)After posting this I set the default ACL Access[All] to Deny
I noticed when testing the error I receive everytime at the moment is …
Client address: 192.168.57.25
Client group: ACL_1
Target group: none
URL: http://www.sex.com/Always ACL_1 which should only be active between 00:00 and 08:30am.
I'm wondering if this has something to do with the redirects.
Thanks
-
Pls read this http://diskatel.narod.ru/sgquick.htm
You dont right use and understood ACL. ACL select clients by Source; time only divide ruleset to on-time and over-time. -
Ah I think I found the problem/problems now.
I also made things a bit more complex with trying to use 5 ACL's when I could have used one with many time rules.
Made a single ACL
Defined office hours
In the ACL I permmited whitelist for office hours with Default access [all] Deny. In "Overtime" I set Default access [all] Allow, but blocked categories like porn etc.
Also found another thread on the forums, which was very helpfull. http://forum.pfsense.org/index.php?topic=8417.msg47233
I'll test this during the day, if it doesn't work then I'll go do some more reading :)
Tx.
-
Basic error - use several ACL with same or overlapping Source setting.
Will used only one - first by order ( Highlander)