SquidGuard - different VLANs, config help - block traffic on only ONE VLAN

Nachtfalke

Hi,

I am using pfsense 2.0 with squid 2.7 (transparent mode) and squidguard.
I have 6 different VLANs and I would like to block all sites on VLAN30 (172.17.180.0/22) except some domains (e.g. adobe.com kaspersky.com).

In "Target Categories" I created my filter with name "allowed_sites", entered the URLs, domains I would like later to allow and saved it.
Then I went to "Group ACL" and used as target "allowed_sites" with "pass" and "Default access [all]" with "deny"

But now my problem is, that I have to enter all IP subnets in "Client (Source)" I would NOT like to block.Isn't it possible to enter the IPs I want the filter to apply to ?

1.) Who could explain me how to setup this "easy" filter?
2.) Where is the difference between "Common ACL" and "Groups ACL" ? When should I use the one and when the other?

Thanks!

jimp

The clients field in the ACL can match a whole subnet, x.x.x.x/22, and the action on there should be to pass the allowed sites category and deny the others.

Anyone that does not match the ACL will only be affected by the default ACL setting, which you could make pass on both the allowed sites and default.

Nachtfalke

Does this mean:

In "Common ACL" tab I have to allow "any"
And in the "Groups ACL" tab I have to chose my target sites to allow and any other "deny". Client (Source) shoul then be the entire VLAN e.g 192.168.8.0/22, right ?

Other question:

Not to allow IP addresses in URL

Does this mean that squidguard is doing a DNS lookup and check if the IP contains to a domain I had blocked or does this mean that ther will never be any connection when there is an IP in the URL?
Not sure if any of my security suites is using only IP addresses instead of domain names.

jimp

@Nachtfalke:

Does this mean:

In "Common ACL" tab I have to allow "any"
And in the "Groups ACL" tab I have to chose my target sites to allow and any other "deny". Client (Source) shoul then be the entire VLAN e.g 192.168.8.0/22, right ?

Sounds right

@Nachtfalke:

Other question:

Not to allow IP addresses in URL

Does this mean that squidguard is doing a DNS lookup and check if the IP contains to a domain I had blocked or does this mean that ther will never be any connection when there is an IP in the URL?
Not sure if any of my security suites is using only IP addresses instead of domain names.

No, that means if someone types in http://69.63.181.12/ they can't go there, instead of getting the site that is there (facebook.com) - it's one way of bypassing domain-based protections.

Nachtfalke

Great! Thanks.

I will give it a try tomorrow at work.