Squidguard package ACLs with "client_netmask" in use



  • Short:
    As soon as we use "client_netmask 255.255.255.0" for squid logfiles, squidguard ACLs seem to be unable to distinguish subnets /24 any longer.

    Details:
    The setup is: squid with the squidguard package for ACLs and lightsquid package for proxy reporting.

    We require "client_netmask 255.255.255.0" – for anonymizing client proxy requests in our logfiles (privacy issues). We enter this as an "custom option" to the squid package.
    We also require ACLs from the squidguard package -- for blocking certain domains on a schedule (during working hours).

    We are currently using static dhcp entries (pfsense is the dhcp server) to dish out low IPs for unrestricted MACs (ACL) versus high IPs within the same subnet for restricted MACs (another ACL).
    We intended to block the high IPs using squidguard ACLs.

    However, the squidguard package seems to hate the "client_netmask" parameter. We turn it on and ACLs break. We turn it off and ACLs work.

    Any ideas how to convince the squidguard package to honor the "client_netmask"?



  • A solution:

    We continue to use "client_netmask 255.255.255.0" and happily continue to ensure the privacy of our users in the lightsquid proxy reports.

    On the other hand, we are now dishing out 0.0.255.0 IPs via DHCP.

    This allows the squidguard proxy filter to see 255.255.subnet.anonymous-zero IPs (like 1.2.subnet.0). This is sufficient to build ACL-based proxy filter rules.
    The proxy reports only display "access to domain" statistics for each subnet.

    Everyone is happy.

    (For the record. And for google.)


Log in to reply