Blocking devices on my network from accessing web resources

RJP1267 · Jul 27, 2021, 1:16 PM

Hello and my apologies in advance if this has been discussed, I did a quick search and didnt seem to find a prior related topic.

I have squid and lightsquid installed and running and squidguard installed but currently idle. My goal is to deny access to certain devices on my network from accessing sites like youtube, tik-tok, just talk and others as the need arises and would like to know how to accomplish this.

The firewall rules do not seem appropriate as I can not specify the url(s) and can not find a complete list of all the associated servers. I was told that squid may be able to help in this respect but as it is new to me I think my initial attempts have taxed out my current abilities and need some feedback from the community as to how best to achieve this. If it helps I also have pfBlockerNG-Devel installed as well.

Thank you in advance for your help.

KOM · Jul 27, 2021, 1:41 PM

@rjp1267 The piece that is idle is the piece to you need. Squidguard is an URL filter. It does what you are trying to do.

RJP1267 · Jul 27, 2021, 2:08 PM

@kom Thanks for the feedback, I am looking at squids documentation trying to make sense of how to do this, maybe a youtube video exists to augment their manual.

KOM · Jul 27, 2021, 2:58 PM

@rjp1267 Squid's docs won't help you with squidguard. They are completely different things. Squidguard is a helper for squid.

A Brief Introduction to Web Proxies and Reporting: Squid, SquidGuard, and Lightsquid

Configuring the SquidGuard Package

Squid, SquidGuard, and Lightsquid on pfSense 2.4

RJP1267 · Jul 27, 2021, 7:14 PM

@kom Thanks for that info, just did a quick deny for youtube but no luck, going to play around and see what works. Seems like gonna take a while to get the right formula.

KOM · Jul 27, 2021, 7:21 PM

@rjp1267 Your users have to be using the proxy for it to work. Web filtering is not a simple, easy task.

RJP1267 · Jul 27, 2021, 9:34 PM

@kom Somehow I thought it wasnt going to be easy but one can hope. So then my PFS lan address would be the proxy address that I would setup on the clients? I have to look at that video tonight. Thanks.

KOM · Jul 27, 2021, 10:19 PM

@rjp1267 Get things working one step at a time. Do NOT configure squid for caching since that's useless these days.

Save yourself the hassle of working with certificates by running squid in explicit (non-transparent) mode. This will require your client devices to be aware of the proxy. You can configure WPAD as well as pushing the proxy via DHCP.

Create an alias called ExemptFromProxy (or whatever you like) and put client IPs in it that are allowed to bypass the proxy. Then create a firewall rule that allows ExemptFromProxy to access tcp80,443 and below that a block rule for everyone on tcp80,443.

RJP1267 · Jul 29, 2021, 11:48 AM

@kom Great ideas, will give it a try and report back. Thanks for your help.