How to block all site except some with Squid?



  • Hi,

    I am new to PFSense.  I am looking to block all the HTTP access in the local lan network with some exception.  (Whitelist)

    I read some where that I can change the squid.conf using an acl like

    
    acl whitelist dstdomain "/etc/squid/whitelist"
    http_access deny !whitelist
    
    

    How do I access the squid.conf in PFSense

    Thanks!


  • Rebel Alliance Developer Netgate

    Install squidGuard and use it to limit site access. With that you can define a list of sites under Destinations that are good, and deny access to all others

    And you can also set ACLs such that a person or group can get to a different set of sites, or no sites at all, basically whatever you want.



  • Is it possible to block HTTPS in squidguard?


  • Rebel Alliance Developer Netgate

    As I told you in the other thread where you asked, only if you program the proxy settings into the clients. You cannot filter HTTPS transparently.



  • Thank you! Jimp.

    I tried it out.  It works.

    Another questions, can I define a specific white list per individual MAC or IP address?

    Scenario would be,
    Allow Computer A to only access amazon.com
    Allow Computer B to only access google.com

    Thanks!


  • Rebel Alliance Developer Netgate

    Yes, if you use squidguard you can make an ACL that matches a specific IP or set of IPs, and then a destination list that you can allow or deny them access to.



  • Wow, Jimp.  Thanks!

    I know this is off the topic.  I got the pfsense book.  But, I want to know more about secure networking.  Do you recommend any book that teaches networks infrastructure and security?


  • Rebel Alliance Developer Netgate

    @bczeon27:

    I know this is off the topic.  I got the pfsense book.  But, I want to know more about secure networking.  Do you recommend any book that teaches networks infrastructure and security?

    Nothing comes to mind, really. There are lots of books out there, but none jump out at me for that. You might start a new thread under "general discussion" to ask everyone.


Locked