SquidGuard GroupACL Logic
-
Hello my fellow net monkeys. Was just poking about looking to find a way to refine the web filters here, and I seem to have come across what looks like a big limitation to the SG function.
I regularly have worked with Cisco Ironport and BlueCoat proxies and wanted to try setting up some time based controls.
With other systems I've worked with the policy is more defined on a per-line basis, each control comprising a source, destination, action, and any other specifics you wish to include, but they are independent of each other. The user will fall through the stack until they hit the default policy at the end. For example, user at 192.168.1.10 can go to Google at any time, YouTube between X & Y Hours, and then deny all others would be written as 3 lines. The sources could be mixed on each line as needed, but each line stands alone.
It appears the SG policy is more a complete policy per ACL. In this case if I put 192.168.1.10 as a source I must define the ENTIRE policy set for that source within the single ACL due to the forced inclusion of a default action at the end. This is very limiting when you want to put some more nuance in place. My own use case here, allow school relevant sites during school hours, more liberal policy after school, then shut it off entirely at bed time. Given the inability to use multiple time schedules in a single policy, and the forced 'default' being in place, this doesn't seem possible.
Is there any way, or potentially room for an update, to either add multiple time schedules, or allow for a 'no-default' situation which would then have the user fall through to the next ACL in the list that matches their source?