SquidGuard package TEST



  • I'm have small problem with eanglish  ::) Sorry for my many questions

    • Do you setup auto refresh (update) period in Lightsquid GIU?

    Post pls '/cf/conf/config.xml' file part



  • squidguard is not in official packages ??? only squidgurad … whats is wrong ??



  • @dhipo:

    squidguard is not in official packages ??? only squidgurad … whats is wrong ??

    Nothing wrong.
    Expects(Waits) his queue
    May be developers veri bisy ?



  • ok

    can you help with some situaton in squidguard ?

    look

    3 sources
    3 destinations
    3 ACL

    sourceA = 100.0.0.0/24
    sourceB = 192.168.0.0/16
    sourceC= 100.0.0.1 192.168.2.1

    destX = xxx.com
    destY = yyy.com
    destZ = zzz.com

    ACL1 =  sourceA pass destZ !all
    acl2  = sourceB pass destY !all
    acl3 =  sourceC pass !destX all

    everything  and everybody have full access ….
    i'm going crazy ...



  • @dhipo:

    ok

    can you help with some situaton in squidguard ?

    look

    3 sources
    3 destinations
    3 ACL

    sourceA = 100.0.0.0/24
    sourceB = 192.168.0.0/16
    sourceC= 100.0.0.1 192.168.2.1

    destX = xxx.com it's  a blacklist
    destY = yyy.com it's a whitelist
    destZ = zzz.com  it's a whitelist

    ACL1 =  sourceA pass destZ !all
    acl2  = sourceB pass destY !all
    acl3 =  sourceC pass !destX all

    everything  and everybody have full access ….
    i'm going crazy ...



  • Pls Show me you SG config
    This situation can be if  SG not started or used default config
    Default config created if found any error in you config data.
    Also how old you SG package installation?



  • more /usr/local/etc/squidGuard/squidGuard.conf

    ============================================================

    SquidGuard configuration file

    This file generated automaticly with SquidGuard configurator

    (C)2006 Serg Dvoriancev

    email: dv_serg@mail.ru

    ============================================================

    logdir /var/squidGuard/log
    dbhome /var/db/squidGuard

    Todas as lojas (users in  branchoffice)

    src lojas {
            ip 192.168.0.0/255.255.0.0
            log block.log
    }

    Todos do Escritorio Central (users in HeadOffice)

    src EC {
            ip 100.0.2.0/16
            log block.log
    }

    Acesso especial (special access users)

    src especiais_loja {
            ip 192.168.11.98
            ip 192.168.37.32
            ip 192.168.38.12
            log block.log
    }

    Acesso sem limites (without limits users)

    src super-users {
            ip 100.0.0.1
            ip 100.0.0.195
            ip 100.0.2.40
            log block.log
    }

    dest ads {
            domainlist ads/domains
            urllist ads/urls
            log block.log
    }

    dest aggressive {
            domainlist aggressive/domains
            urllist aggressive/urls
            log block.log
    }

    dest audio-video {
            domainlist audio-video/domains
            urllist audio-video/urls
            log block.log
    }

    dest drugs {
            domainlist drugs/domains
            urllist drugs/urls
            log block.log
    }

    dest gambling {
            domainlist gambling/domains
            urllist gambling/urls
            log block.log
    }

    dest hacking {
            domainlist hacking/domains
            urllist hacking/urls
            log block.log
    }

    dest mail {
            domainlist mail/domains
            log block.log
    }

    dest porn {
            domainlist porn/domains
            expressionlist porn/expressions
            urllist porn/urls
            log block.log
    }

    dest proxy {
            domainlist proxy/domains
            urllist proxy/urls
            log block.log
    }

    dest redirector {
            domainlist redirector/domains
            urllist redirector/urls
            log block.log
    }

    dest spyware {
            domainlist spyware/domains
            urllist spyware/urls
            log block.log
    }

    dest suspect {
            domainlist suspect/domains
            urllist suspect/urls
            log block.log
    }

    dest violence {
            domainlist violence/domains
            expressionlist violence/expressions
            urllist violence/urls
            log block.log
    }

    dest warez {
            domainlist warez/domains
            urllist warez/urls
            log block.log
    }

    Lista Negra Leo (our black list)

    dest ListaNegra {
            domainlist ListaNegra/domains
            expressionlist ListaNegra/expressions
            urllist ListaNegra/urls
            log block.log
    }

    Lista de Sites Liberados (our white list)

    dest ListaBranca {
            domainlist ListaBranca/domains
            expressionlist ListaBranca/expressions
            urllist ListaBranca/urls
    }

    Sites liberados para lojas (free sites to branchoffice users)

    dest permitidosLoja {
            domainlist permitidosLoja/domains
            log block.log
    }

    Sites Liberados para EC (free sites to HeadOffice)

    dest permitidosEC {
            domainlist permitidosEC/domains
            log block.log
    }

    acl {
            # Lista de Lojas Liberadas
            lojas {
                    pass ListaBranca permitidosLoja none
            }

    # permitidos EC
            EC {
                    pass ListaBranca permitidosEC none
            }

    # usuarios controlados com acesso total
            especiais_loja {
                    pass !ads !aggressive !audio-video !drugs !gambling !hacking !m
    ail !porn !proxy !redirector !spyware !suspect !violence !warez !ListaNegra all
            }

    # Super usuarios
            super-users {
                    pass all
            }
          default {
                    pass ListaBranca none
                    redirect http://127.0.0.1/sgerror.php
            }
    }



  • Make this for testing

    • disable all ACL's (checkbox on every acl)
    • uncheck all items on Default rule and set !all (deny all) - test this for block all traffic
    • enable ListaBranca in default and test acces to him and no-access for other
    • one by one enable ACLS and test him for access (first enable you special acls)

    You need find what ACL wrong configured.

    PS after any change before test press Apply button and see Servise string for green (in latest version SG)(mean - SG success started) below Apply button



  • 2 mantunespb

    installed to put happened this error in the end of the site is the same not initiated

    Warning: fopen(/usr/local/etc/squidGuard/squidguard_conf.xml): failed to open stream: No such file or directory in /etc/inc/pfsense-utils.inc on line 1094 Warning: fwrite(): supplied argument is not a valid stream resource in /etc/inc/pfsense-utils.inc on line 1095 Warning: fclose(): supplied argument is not a valid stream resource in /etc/inc/pfsense-utils.inc on line 1096 Warning: fopen(/usr/local/etc/squidGuard/squidguard_conf.xml): failed to open stream: No such file or directory in /etc/inc/pfsense-utils.inc on line 1094 Warning: fwrite(): supplied argument is not a valid stream resource in /etc/inc/pfsense-utils.inc on line 1095 Warning: fclose(): supplied argument is not a valid stream resource in /etc/inc/pfsense-utils.inc on line 1096

    Several questions

    • do you have installed squidGuard port before installation package? (must be deinstalled)
    • check /usr/local/etc/squidGuard/ path for exists


  • ok /// i do this and satyed strange… but i found an tip ... andnow evething is working... we need compile the lists (blacklists ,destinations, etc) every time what anything is added or removed from blacklists or destinations... the command is ... to first time :
    /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -C all -d

    or to updates

    /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -u -d

    the acls are working now
    ....



  • <english problem="">I have understood that there is problems with(since) rebuilding db?
    Blacklist db rebuild once after his downloading and installation
    User db may be processed with each pressing by button 'Apply'
    (user db each time created as new but not diff)

    Please post you detail ussues - where problem?

    ps i will have test too</english>



  • ok …. i will try be clear .....  on press apply button or save new Destinations is not creating the db files..
    i created manually using the comand 
    /usr/local/bin/squidguard -c /usr/local/etc/squidGuard/squidGuard.conf -C all

    but every time , when a new url ,expression or domain is added to destinations is necessary run the command
    /usr/local/bin/squidguard -c /usr/local/etc/squidGuard/squidGuard.conf -d

    if db files was not created manually the rules (ACLS) does not work ..
    but, after db creation (manually) works fast and was expected..



  • new doubt …
    Can i have an acl like this

    " pass MyList "

    without the ' !all ' at the end of line ?



  • @dhipo:

    new doubt …
    Can i have an acl like this

    " pass MyList "

    without the ' !all ' at the end of line ?

    I test bug with db nearest time  ???

    About ACL
    '!all' convert to config as 'none'
    This is default rule for current ACL
    'pass MyList all' mean pass 'MyList' and 'all' - passed all
    pass MyList !sex all - mean pass MyList all and deny sex
    pass MyList none (equiqalence !all) - mean pass only MyList and deny all other



  • Rename wisout .txt, replace on '/usr/local/pkg' this and test it.

    squidguard_configurator.inc.txt



  • ok … i changed the squidguard_configurator file ... works good... an new discovered tip .... ACL order is too important .. look this :

    acl 1 source is 192.168.1.0/24 "pass mylist none" -- my list have only some permited sites

    acl2 source is 192.168.1.20 pass all

    in this case acl2 never is used

    but if acl2 is in top order works  like desired....

    can an option to move order in acls added ???



  • @dhipo:

    ok … i changed the squidguard_configurator file ... works good... an new discovered tip .... ACL order is too important .. look this :

    acl 1 source is 192.168.1.0/24 "pass mylist none" -- my list have only some permited sites

    acl2 source is 192.168.1.20 pass all

    in this case acl2 never is used

    but if acl2 is in top order works  like desired....

    can an option to move order in acls added ???

    Great test!! I missed this moment and this very serious. I will work about this  :-[



  • Do you have url's with information about squidGuard ALC's order?



  • no i don't found anything about acl order on internet …. but it's a try an error what i did ....

    look ...

    i thin in this moment we can do an ACL tester .... to show what ACL is being applied ....

    on command line the test is ....

    echo "http://www.example.com 100.0.2.10/ - - GET" | /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -d

    and will reply on last lines

    2007-06-24 10:54:39 [15031] squidGuard 1.2.0 started (1182693279.170)
    2007-06-24 10:54:39 [15031] squidGuard ready for requests (1182693279.178)
    2007-06-24 10:54:39 [15031] Request(EC/none/-) http://www.example.com 100.0.2.10/- - -
    http://127.0.0.1/sgerror.php?url=403 100.0.2.10/- - -
    2007-06-24 10:54:39 [15031] squidGuard stopped (1182693279.178)

    look the acl NAME there Request(EC/none/-)

    look this … the ip tested down is an user with special access,  but with porn denied

    echo "http://www.sex.com 192.168.19.97/ - - GET" | /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -d

    reply 2007-06-24 10:59:26 [15573] squidGuard ready for requests (1182693566.468)
    2007-06-24 10:59:26 [15573] Request(especiais/porn/-) http://www.sex.com 192.168.19.97/- - -
    http://127.0.0.1/sgerror.php?url=403 192.168.19.97/- - -
    2007-06-24 10:59:26 [15573] squidGuard stopped (1182693566.469)

    and now the full network range … with limited access...

    echo "http://www.sex.com 192.168.0.0/ - - GET" | /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf -d

    look the different acl 2007-06-24 11:04:25 [16181] Request(lojas/none/-) http://www.sex.com 192.168.0.0/- - -
    http://127.0.0.1/sgerror.php?url=403 192.168.0.0/- - -
    2007-06-24 11:04:25 [16181] squidGuard stopped (1182693865.587)

    in my testings i discovered :
    if an ACL with specific ip ( host address eg: 192.168.19.97 ) is after of a network range … the acl is never processed ..

    then i suggest and button to move acl order like rules order in pfsense ...



  • http://www.sdconsult.no/linux/SquidGuard/doc.html

    How squidGuard decides what to do
    For each request squidGuard will:
    try to find a matching client group based on the client IP-address and optional domainname and user ID information. Note: The client groups are matched in the order they are defined. Thus a client group that is a subset of a more general group must come first of the two to take effect. If the client does not match a group then the default acl will be used.
    Note: The client information must match at least one of each defined type within the actual group to qualify (i.e. ip AND domain AND user).
    select the corresponding active acl. If no corresponding acl is active or defined the default acl is selected.
    try to match the URL to each destination group in the listed order in the pass rule in the actual acl and for each destination group in the priority order domainlist, urllist and expressionlist.
    Note: It is sufficient that the URL matches one of the defined types within the actual group to qualify (i.e. domainlist OR urllist OR expressionlist).
    if a negative group ("!group") is matched, return the redirect URL for that destination group if defined or alternatively the redirect URL in the actual acl if defined or else the redirect URL in the default acl as the last resort.
    when a positive group ("group") is matched the stop searching.
    apply the rewrite rules for the matched destination group if any and then apply rewrite rules for the acl if any or else the rewrite rules for the default acl if any.
    if the URL was changed by a rewrite rule return the new URL and the suplied information.
    Otherwise return an empty line indicating no change to Squid.

    May be source order have effect? Analyze pls this url.. (my translator give stuppid text)



  • is this ….

    The order of "ACL" is important ...
    look this note:

    Note: The client groups are matched in the order they are defined.

    we need an control to ordering "ACL"s



  • @dhipo:

    is this ….
    The order of "ACL" is important ...
    look this note:
    Note: The client groups are matched in the order they are defined.
    we need an control to ordering "ACL"s

    Client group this is Sources blocks
    Do you have possible test config with swithching sources blocks? (manually swap and restart squid). I will be able to test tomorrow :-\



  • no …. source or destinations order is NOT important ....

    important is the ACL order ....  blocking is made based on order of ACL...



  • i did test order of acl and this is real …. .ACL order is important...



  • @dhipo:

    i did test order of acl and this is real …. .ACL order is important...

    I now have test via remote access on my work next simple config

    
    src_myip_on = myip
    src_myip_off = myip
    
    acl {
      default .... none // all block
      src_myip_on ... all // all pass
      src_myip_off ... none //all block
    }
    

    –- A --- beginner
    sources  (1)src_myip_on (2)src_myip_off
    ACLS (1)default (2)src_myip_on (3)src_myip_off
    result MyIP Access = pass

    --- B --- swapping acls
    sources  (1)src_myip_on (2)src_myip_off
    ACLS (1)default (2)src_myip_off (3)src_myip_on
    result MyIP Access = pass (!!)

    -- C -- swapping sources
    sources  (1)src_myip_off (2)src_myip_on
    ACLS (1)default (2)src_myip_on (3)src_myip_off
    result MyIP Access = blocked (!!)



  • you are right ….. the sources order change the result of policy ....  i hate this.... only about lucky .... but my order of sources was right and when i changed policies stop to work.....

    great work ..... SOURCES MUST BE ORDERED TO WORK ....



  • In sources table no way to mooving table line up/down
    I have idea add one checkbox field with 3 positions (–/move up/move down)

    Any other idea?



  • In sources table no way to mooving table line up/down

    Maybe you could get around it by first saving it to a temp file first, adding a number 1 2 3 and then add it to conf by number…



  • For example this




  • looks good ….

    but correct english in some words ...

    change
    Sources order have very impotant importance
    to
    Sources order have very higy importance.

    word "chose" the correct is "choose"



  • new thing ….

    on the Destinations tab i cannot add an redirect url all tries give me the following message.

    The following input errors were detected:

    * Redirect must contains valid url. Example: 'http://www.my.com', 'https://my.com', 'ftp://my.com'

    i try put in the field redirect

    http://www.mydom.com.br/
    http://www.mydom.com.br/test.htm
    403:http://www.mydom.com.br/
    403:http://www.mydom.com.br/test.htm

    all with errors



  • Yes .. may be validator problem
    Temporary - assign only '404'
    User will view 404 error page



  • Source order is of high importance. Sources are evaluated on a first-match basis
    Wrong order:
    First source entry is the range 10.0.0.0/24 and second entry is 10.0.0.15 (or 10.0.0.15/32 )
    Right order:
    First source entry is the single ip 10.0.0.15 (or 10.0.0.15/32 ) then the overlaying range 10.0.0.0/24

    My none native language suggestion :)



  • I shall is thanked for good english text



  • Uhhm
    Ready for test
    Need update from site files
    'squidguard.inc'
    'squidguard_configurator.inc'
    'squidguard_src.xml'
    OR reinstall



  • not necessary squidgaurd.xml ????



  • i did an test
    if an source is deleted (eg … source # 0) to other sources become indexed is necessary open the source #1 and move it to #0

    but moving orders is good .... and working ,..



  • @dhipo:

    not necessary squidgaurd.xml ????

    I modified only this 3 files

    i did an test
    if an source is deleted (eg … source # 0) to other sources become indexed is necessary open the source #1 and move it to #0

    or i stupid, or my translator.. what processed if deleted all sources??? Please looking what's happening with 'squidguard.conf' in this moment? Broken or no?

    but moving orders is good …. and working ,..

    Sources order in gui das is correspond order in squidguard.cfg

    PS i test all bugs too, but i need more 'test statistic' for diagnose BUG
    PS2 Thanks for you job  :)



  • ok … english is not my language too... but i ll try again ....

    remove an source, example source number 0... the others sources are not modified....
    to modify , you need open next source, move it to number 0 and save ...

    yes ... the squidguard.conf is ok ....



  • @dhipo:

    remove an source, example source number 0… the others sources are not modified....
    to modify , you need open next source, move it to number 0 and save ...

    this only for cosmetic …. squidguard.conf is ok


Log in to reply