Blocking and Filtering using Squid and Squidguard

eln · Feb 21, 2020, 3:13 PM

Hello guys

I need help,

How do I allow certain users on my network to access social media sites?
How do I allow all users to have access to social sites at specific time, like at lunch our?

Am using squid and squidguard

Thanks in advance

Gertjan · Feb 21, 2020, 2:15 PM

@eln said in BLOCKING AND FILTERING USING SQUID AND SQUIDGUARD:

Am using squid and squidguard

All that squid & guard sees, is the IP and probably the URL. That's it.
Big social networks have (tens of) thousands of IP's - and some get changed every day or less. And as you know, guys like youtube have dozens of URL also. Some are known, some or just invented this morning.
The actual traffic is stashed away under a thick layer of inaccessible TLS.
Wonder what usage squid and guard has these days .... (except being a reverse proxy).

See what pfBlokcerNG can do for you.

Or "AS" the list together yourself using a script, and add the script into an alias, being used in a scheduled firewall drop rule

stephenw10 · Feb 21, 2020, 3:18 PM

If you're running in transparent mode, as most people are, Squid will see the full URL for http and (for now) the FQDN for https traffic.

You can can configure Squidguard to filter different user groups but you need to select those. That's usually done by IP address so you might have all users on one wifi ssid/vlan filtered through oner set of ACLs and another vlan through another set.

Steve

Gertjan · Feb 21, 2020, 5:18 PM

@stephenw10 said in Blocking and Filtering using Squid and Squidguard:

Squid will see the full URL for http

Do you have access to numbers like : how much http compared to https are you seeing ? I guess I can say that there are days that nothing goes over by http anymore. Or is this just my experience ?
Mail and family was set up years ago to 465 / 993 / 995. FTP has been buried in 2007 ....

stephenw10 · Feb 21, 2020, 10:09 PM

Nope, but I agree it's almost all https, and should be. If you want to filter by the full URL or keyword etc you need to be doing full bump mode (MITM SSL intercept).

Steve

eln · Feb 24, 2020, 6:37 AM

@stephenw10 Most of the users are on WIFI and as you know IP address changes all the time. I tried Group ACL, Common ACL, Set time range for access, but they are not working. Users are able to bypass.
If possible take me step by step on how to configure this. Its frustrating

stephenw10 · Feb 24, 2020, 12:05 PM

Are you able to filter for all users if you add it just to the common ACLs without custom groups?

If not there's no point trying to get different groups working until that part is.

You should watch the hangout we did on this if you have not already: https://youtu.be/xm_wEezrWf4

Steve

eln · Feb 24, 2020, 12:37 PM

@stephenw10 Yes, I am able to filter all users, Also, I am able to exclude myself to have access to social sites

stephenw10 · Feb 24, 2020, 1:48 PM

Ok then you just need a way to define different groups such as putting all the 'special access' users as static leases and all others dynamic. Or using separate subnets for each, different SSIDs.

Steve

eln · Feb 24, 2020, 1:52 PM

@stephenw10 We are in one subnet, I tried filtering by IP Address and that way it seem to be working but remeber IP addresses changes all the time. I even tried blocking a range. However, the issues goes back to TIME the users can still by pass the firewall

stephenw10 · Feb 24, 2020, 2:19 PM

How do you have it configured?

eln · Feb 24, 2020, 2:36 PM

@stephenw10
Added Blacklist (Shallalist)
Created a target category (and added domain list)
Under Common ACL > Target Rule List ( My Target catergory is set to "DENY"
Saved
Under General Tab, Enable Checked then Apply

stephenw10 · Feb 24, 2020, 3:37 PM

Ok, but you said general filtering works just not with schedules right?

How do you have that configured? Please post screenshots so we can see exactly what is set.

Steve