Squidguard Web Filter Issues



  • Hi everyone,

    Let me start this thread by saying I am a new intern at a company that needs web filtering sat up. I am new to Pfsense, Squid and Squidguard. I've done weeks of research on how to set up my company but I can't seem to get anything to work. None of the threads I found in this forum thus far have worked in the way I need them to. Allow me to explain our setup:

    There are approximately 20 workstations in my building. 7 of them need admin access, or default to all. The rest need to be blocked from all website access EXCEPT a select few websites which are to be whitelisted.

    Originally, I attempted to set up the limited workstations under an alias of "BlockedUsers" and then entered the workstation's IP as the host. I also made another alias called "AllowedSitesBlockedUsers" and by IP listed all whitelisted sites. I tried blocking/allowing on both the LAN and WAN side, and no configuration I tried worked. I finally gave up on this.

    Next, I decided to install Squid as a transparent proxy and try web filtering with SquidGuard, due to what I've read about ease of use compared to using aliases. I have tried this and I think I am still doing something wrong as the filter is not working on the limited workstations.

    Here is the setup I have currently:
    Squidguard: Enabled
    Don't allow IP access to URL: Enabled

    Groups ACL:
    Name- Internet Filter
    Client- "BlockedUsers"
    Target Rules List- none currently

    Target Categories:
    Allowed Sites- Expressions: (google.com)|(204.197.246.70)|(199.237.239.168)| (76.227.216.27)|(65.254.58.21)|(184.0.154.154)|(64.20\2.170.130)|(64.184.32.112)|(50.17.249.143) |(72.3.176.67)|(64.9.198.33)|(168.144.74.211)|(64.31.183.119)|(208.64.138.65)|(69.93.59.34)|(193.192.61.2)|(205.178.145.158)|(97.71.118.189)|(216.139.247.92)|(72.167.255.27)|(184.0.154.154)|(70.60.249.136)|(202.139.234.87)|(64.78.181.71)|(209.216.124.178)|(173.201.2.165)|(184.0.154.165)|(70.60.249.134)|(208.109.162.57)|(82.165.105.22)|(70.32.100.93)|(66.180.4.10)|(174.121.108.66)|(50.22.162.97)|(67.192.63.82)|(130.94.132.31)|(173.226.124.21)|(207.218.128.6)|(140.174.98.50)|(66.212.104.33)|(180.150.140.197)|(59.37.41.108)|(216.92.110.196)|(216.235.69.64)|(98.129.132.76)|(208.79.79.20)|(216.139.210.79)|(67.18.27.84)|(67.192.55.103)|(192.112.60.69)|(66.29.217.133)|(207.148.247.55)|(74.205.123.76)|(63.144.240.81)|(173.201.232.175)|(166.70.44.202)|(184.191.132.34)|(209.61.178.176)|(64.82.110.233)|(66.7.211.30)|(209.159.201.70)|(205.178.145.158)|(66.216.115.8)|(69.195.199.74)|(71.6.150.219)|(198.145.115.160)|(173.203.74.5)|(67.222.16.137)|(173.236.129.128)|(63.149.92.171)|(216.167.196.76)|(209.90.77.138)|(206.188.192.136)|(208.106.213.130)|(38.113.1.143)|(67.192.51.163)|(208.109.181.63)|(208.109.162.57)|(uberti.com)|(stoegerindustries.com)|(96.60.118.100)|(216.39.58.249)|(216.39.58.250)|(216.39.58.251) (.(google|yahoo).(search_query|keywords|search|query|q|p)=.(+|%20)(proxy|bypass).(-|+|%20).(proxy|bypass).*)

    Blocked Users: (192.168.40.)|(192.168.40.)|(192.168.40.)|(192.168.40.)|(192.168.40.)|(192.168.40.)|(192.168.40.)|(192.168.40.)|(192.168.40.)|(192.168.40.)|(192.168.40.)|(192.168.40.)|(192.168.40.*)

    Based on what I have found I have set it up as follows but this configuration does not work. Any guidance would be greatly appreciated as I would love to learn more about this platform and package and become better at this.

    Thank you in advance!

    Kind regards.  :)



  • Perhaps you have to explain a little bit more.
    Remember if you are running squid in transparent mode, squidguard can only filter port 80. If you browse a site like httpS://xyz.com than this site will not be filtered.



  • Sure - what information would you like to know?

    So if I don't run transparent mode, it will block all the sites individually as I listed? I am mildly confused in the sense that, if HTTP traffic is port 80, wouldn't all HTTP traffic from limited workstations be blocked? Right now nothing is being blocked with the settings I have (the workstations can still access all sites that are not business related).

    Thanks for your quick reply!



  • Hi,

    perhaps this will help you a little bit:
    http://diskatel.narod.ru/sgquick.htm

    Perhaps you should try filtering at first with one simple website which is using http (80) befor using such a long target list.

    I am shot on time at the moment. I will post some screens of my configuration later - if you like.
    But perhaps the website above will help you.



  • Thank you for the link, though I can't really use it. I must be running a different version from the tutorial as my interface does not have the same options.



  • Just the "tabs" were renamed:
    General -> General
    default -> common acl
    acl -> groups acl
    destinations -> target categories

    Ok, what I want to realize and what I did:
    I have different VLANs/subnet. All VLANs should have full internet access except one. The one Subnet (172.17.180.0/22) should only have access to some domains.

    1.) I createad one "Target categories". There I entered all the domains I would like to access. I your case you should enter all domains you would like to block.

    2.) Group ACL: There I configured everything for the one subnet (172.17.180.0/22). I entered the "Client(Source)" subnet this rule should apply to.

    Default access is denied because I would like to block all except my sites I configured in "Target categories". So as you can see, for my target categorie I configured "whitelist" which could be "allow", too.

    3.) So now I have to configure what is happening with the other VLANs which should have access. Because I would not like to configure them all individual I use the tab "Common ACL"

    There is "default access" allowed and my target ist allowed, too.
    Take a look at the screenshots.

    So my subnet 172.17.180.0/22 is only allowed to sure microsoft.com and so on and no other site.
    All my other subnets are allowed to browse all websites they want.

    PS: At least remember, you ALWAYS have to go to "General settings tab", click SAVE at the bottom and then click "APPLY" on the top. You'll have to do that after every change you did in SquidGuard.

    If you have further questions, do not hesitate to ask. But first try to realize this with just one site/domain to see if it is working. Then try to add further domains or expressions. It is sometimes not really easy because squidguard isn't telling you everytime what is "really" wrong. Nevertheless it is a really good webGUI which catches such a complex thing.

    ![Target categories.jpg](/public/imported_attachments/1/Target categories.jpg)
    ![Target categories.jpg_thumb](/public/imported_attachments/1/Target categories.jpg_thumb)



  • screens to large for one post

    ![Group ACL.jpg](/public/imported_attachments/1/Group ACL.jpg)
    ![Group ACL.jpg_thumb](/public/imported_attachments/1/Group ACL.jpg_thumb)



  • last one

    ![Common ACL.jpg](/public/imported_attachments/1/Common ACL.jpg)
    ![Common ACL.jpg_thumb](/public/imported_attachments/1/Common ACL.jpg_thumb)



  • Okay, I am going to give this a go and see how things turn out.

    The one thing I am having a hard time wrapping my head around is this: if I want access blocked to all sites except a few, how am I to possibly write down every IP or domain that a user could access? Wouldn't I be working on the list all day since there are seemingly an infinite amount of websites out there?  ???



  • @coachs88:

    Okay, I am going to give this a go and see how things turn out.

    The one thing I am having a hard time wrapping my head around is this: if I want access blocked to all sites except a few, how am I to possibly write down every IP or domain that a user could access? Wouldn't I be working on the list all day since there are seemingly an infinite amount of websites out there?  ???

    Do not try to BLOCK all sites which you would not like to allow. Try it the other way:
    Just allow the sites you would like the users should access.
    This is exactly what my scenario above describes. The "default access" is what you describe as "all sites". This describes all sites for which you have no special rule.



  • I am going to try this first thing in the morning. I will post an update as soon as I've had a chance to implement the changes.



  • Before I implement this.. I thought that under the "Proxy Server" tab, I would leave the interface untouched because it technically applies to LAN and WAN, as it is supposed to block incoming and outgoing traffic. Am I wrong with this.. should I select only one?

    I am excited to try this new configuration. :)



  • Aehm…just apply it on your LAN interface(s).

    It makes no sense (for me) to use it on WAN interface because the firewall blocks by default everything from WAN.

    If you try to block google.com it would not make any sense to apply this on the WAN interface.

    So in short: In proxy server just use your LAN interface(s).



  • Ah! That part makes perfect sense now.

    The last thing I am stuck on (at the moment) is in the proxy server settings.. I have no idea what port to make the proxy listen in on. Should it be the default 80 or 8080? Or something else? Also, it will not let me enter a valid log file directory. I am on a windows machine and it seems to be requesting a Linux based path. Is there a way around this?

    Thanks again for your expertise and kindness. I really appreciate it!  :D



  • Hi,

    if squid is running in "transparent mode" there is no need for you to enter a port (or better it will not use the port you have entered). SQUID is automatically listening on port 80 because this is the only port SQUID can cache/log ind transparent mode.

    If you are running squid in non-transparent mode, than you can chose nearly any port you like. The default squid port is 3128. In general there is no need to change this port.
    But if you are running squid in non-transparent mode, than you will have to enter the proxy server address on EVERY client machine.
    If you did not enter this ip in the clients browser, then the client will not use the proxy and bypass the proxy. This will make it absolutley necessary that you will block all other connections not going directly to your squid. The only way for you LAN clients to go to the internet (www.google.com) must be this way:

    LAN-Client –-> Proxy (IP:port) ---> www.google.com

    It must not be:
    LAN-Client ---> www.google.com

    If your clients are running in an ActiveDirectory (AD) then you can push the proxy setting via GPO. If not, you have to do this by hand.

    Log-Path:
    The log path of squid is:
    /var/squid/logs
    on your pfsense machine. You cannot redirect this logs on a windows machine (as far as I know) and it makes no sense. If you would like to have a look at the logs, just use the "lightsquid" package and you can analyze your squid logs from pfsense webGUI.



  • I finally was able to implement all the changes you suggested. I went to a client computer which was supposed to have limited access and it is still not working. I'm not sure if this is due to my little understanding of this proxy or what. I am at a loss of what to do at this point.  ???

    The workstation is still able to access websites in which are blocked by default. I am very confused.



  • You are sure what you clients browse sites via proxy ?
    Define proxy directly in clients browser and check access again.



  • I guess I'm not sure, to be honest.

    I wanted it sat up so the users didn't have to do anything, such as type in a proxy address. Won't they have to do it everytime they log in or something? The users at my job are NOT technically inclined AT ALL.  I'm starting to feel as though I don't know enough to set this up.

    What do I need to do to understand this properly? Is it even going to be possible to get this working at this point with my level of understanding?



  • @coachs88:

    I guess I'm not sure, to be honest.

    I wanted it sat up so the users didn't have to do anything, such as type in a proxy address. Won't they have to do it everytime they log in or something? The users at my job are NOT technically inclined AT ALL.  I'm starting to feel as though I don't know enough to set this up.

    What do I need to do to understand this properly? Is it even going to be possible to get this working at this point with my level of understanding?

    Now the question of efficiency filter. Please do as I wrote above, and check his work.



  • Okay.. I tried this but I'm still doing something wrong.

    I'm not sure if I have the wrong proxy address or the wrong port.. I thought I entered the port I chose the proxy to listen to (3128) but that didn't work. Nor did port 8080 or 80. I must have the proxy address wrong. But if that isn't right I guess I don't know how else to find it.

    Unless my proxy filter settings are somehow messed up?

    I tried manually configuring the proxy in Mozilla Firefox.. and after I applied it no matter what site I chose, it wouldn't connect to any of them. At the bottom of the browser it just said "Connecting to ______.com" and then it would time out. :(

    Sorry for being so inexperienced. I'm glad you folks are willing to push me in the right direction.



  • It is possible to see a screenshot of the settings of your proxy squid ? (pfsense - proxy's first page)



  • Certainly!




  • Here's the second part.




  • You have to check "Allow users on interface" so that the clients on you LAN interface are able to use the proxy.

    Further you have checked "transparent proxy". This is okay. In this case you do not have to enter any proxy setting in your clients browser.



  • Okay. So now I have users allowed to interface and it is partially working.. but it is blocking all websites again, for all users. Not just the limited workstations.

    I followed all previous directions and thought this would get everything. I can tell it's going in the right direction so I must have proxy filter sat up wrong somehow.. also, is there anythiing I need to do in the access control tab?

    If I attach more screen shots would you be able to tell me what I'm doing wrong?



  • You could post screens of Target categories, group acl and common acl.

    But I think, if all users get blocked, you have to go to "Common ACL" and check "allow" there for any target rules.



  • Here you go. Hope these help.




  • Group ACL




  • Target categories




  • Hi,

    in "Common ACL" and "Group ACL" it would be necessary to see what is in "Target Rules List (click here)"

    Further in "Groups ACL": Why did you enter every single IP in Client (source) ? Why didn't you just enter a hole subnet 192.168..40.0/24 ?

    "Target Categories"…...you haven't entered anything there. This makes no sense. Either you enter the sites you want to ALLOW or you enter the sites you want to block.

    What do you want to realize ?
    What should the hosts you entered in "Group ACL" shoul do ?
    Do you just want to block same sites like porn or something else or do you want that everything of the internet is blocked except some sites ?



  • Sorry.. that was a bad screen shot. I do have stuff entered in the target categories. here is a better one.

    There is only 1 subnet at my company. I entered individual clients as a way to separate restricted workstations from admin workstations.

    What I want to happen is this: restricted workstations have EVERYTHING blocked except a few websites which are needed to do their job. Everything else must be blocked. I.e personal email, facebook, youtube, porn, etc etc. Which is why I want it all blocked by default for those certain workstations. Does that make sense? I hope this screenshot clears up some confusion.




  • okay.

    I think there is a mistake in the "Expressions" block.
    Expressions are - that's the way I understand it - if an URL contains a word of this. For example if the expression is:

    .porn.

    This means every URL with the word "porn" in front, at the end or somewhere in the middle is blocked:
    www.XYZporn.com
    www.pornXYZ.com
    www.ABCpornXYZ.com

    You have to put your IPs and URLs in the block "Domain list".
    The text above explains it. Just enter there:

    
    google.com 12.23.34.45 12.12.34.34 34.34.34.34 example.com amazon.com
    
    

    PS: If you are using IPs, you must be sure, that you didn't check the box "Do not allow IP addresses in URLs".
    It is better to use domain names in the "domain list" so the IP behind this domain can change and you do not need to change this from time to time in SquidGuard. If it is not possible to use domain names, then remember the checkbox with "Do not allow IP addresses in URLs"

    To your question if this make sense:
    Yes it does. I am doing this the same way.



  • Sorry for the delayed reply.. haven't been into work for a few days, have been terribly sick with mono.

    Anyway, I tried your suggestion of instead of having expressions, having all the domains I want to whitelist instead. Now instead of them all getting blocked on all workstations, it isn't blocking anything at all!

    Should I post screen shots again? I really don't understand what I'm missing at this point.



  • Sure, you can post again all tabs of SquidGuard.

    But you want to realize the same as I am doing and I posted all necessary options in my screenshots. Perhaps you are missing one little checkbox ;-)

    Further, after changing anything in SquidGuard, are you applying "Save" and after this "Apply" on the first tab of SquidGuard ? This is neccessary for a working proxy filter!



  • Okay. Here are the updated screenshots. I hope you can help.

    Filter is working perfectly on limited workstations but it isn't allowing all access to admin workstations.




  • Another




  • Next




  • Next




  • Last one




  • Hi,

    proxy3.png:

    uncheck "Do not allow IP addresses bypass"
    defaulf access: allow and NOT deny.
    This page is for the admin workstations, like you call it ;)
    All that you deny on this page is a restriction for you admin workstation.

    proxy4.png:
    Is ok, but here you can check:
    "Do not allow IP addresses bypass" BUT ONLY if you dot not have any IP addresses in proxy5.png

    Head up - you got it :-)


Locked