Understanding SquidGuard ACL - hierarchy

  • Hello all.

    I have been experimenting with pfSense for a few weeks now. I am using 1.2.3 at the moment primarily because most of the information I find is for 1.2.3, v2.0 is not as clear when looking for help. I plan to use 2.0 after I understand what I am doing.

    Anyway, I have my pfSense box working fine, I have set my iptable rules and port forwards, all is going as expected. It is a simple setup, one NIC to the DSL Modem, one to the LAN, using Pretty basic.

    I installed Squid and Squid Guard. Squid works, not too hard to understand. I am currently testing how I can limit my kids and unknown machines to a 'kid friendly' set of websites while allowing my known machines no restrictions.

    I created a TargetCategory:
    no redirect or expressions

    I created a group ACL:
    Client(source): (my computers IP)
    Time: not using
    TargetRules: kids-test
    No redirects or other options needed for this test

    I did APPLY this, I understand that has to be done. I do understand that the Default Access [All] target applies to everything. I have seen mention that you would want to use the value "whitelist" for the [All] target group, but I don't see that option. The results are listed here.

    kids-test (allow) All (allow) – allowed to go anywhere
    kids-test (whitelist) All (allow) -- allowed to go anywhere
    kids-test (allow) All (deny) -- can go nowhere
    kids-test (whitelist) All (deny) -- can go nowhere

    I also decided that the common ACL rule might come into play, so I tried the above settings (group ACL) with [All]-deny and [All]-allow in the common ACL menu, but the results did not change.

    SquidGuard is working, that much is certain. It denies my computer to go anywhere http when it is engaged, I just cannot get the filtering to work properly.

    Next I decided to try out multiple group ACLs. I had thought that perhaps the logic was such that if I created an group ACL for the entire subnet ( and set that to [All]-Deny, and set that as the 2nd ACL (after my test1 ACL), perhaps then the kids sites would be allowed because they were in a target category (whitelisted) but that other requests would fall the the next ACL which would deny all.

    I am not exactly a stranger to heirarchy, I understand how it works. I don't see a method to the madness here though, at least not one I can find documented. There are a lot of ways to do this from a prompt, but I don't really have the experience to go mucking around with command line syntax. Besides I had thought it would be pretty straight forward with a nice GUI. There is of course a high probability that I am not doing something correctly. I have read many articles and threads about this, and I thought with my basic test it would work easily, but I was mistaken.

    I understand there have been many many questions regarding Squid and SquidGuard. I apologize I have to add yet another one, but after many hours messing with this, I either need some help or I am going to go back to my Dlink router which poses no such problems because it is so void of options  :D


  • This is a good thread, and it seems that it would be very easy to apply.


    I followed this, creating a target to allow lego.com, setting the group acl to my IP, setting the target to whitelist and all to deny. It again denied everything. If I set the target to deny, and all to allow, then it works just as expected, lego.com is denied but all other traffic is allowed.

    So the trick it seems it how to get everything denied by default within a group ACL, but still allow the whitelisted target category to get through.


  • Group ACL:
    kids-test: whitelist
    Default access [all]: deny

    Common ACL:
    kids-test: whitelist
    Default access [all]: allow

    Did you try this ?

  • Yes, I did try that.

    I was reading your tutorial you put up in that other thread, the one here

    and I noticed you mentioned it would not work with transparent proxy

    Therefore with transparent proxy squidGuard can use only Common access (‘Default’ page).

    I am using transparent proxy. In my testing with transparent proxy, the common ACL has no bearing on the group ACL. I did this:

    Group ACL:
    kids-test: whitelist or allow
    default access:deny

    It denies everything, regardless of what common ACL is set to. One thing that confuses me, is that in one or your screenshots from that quick guide, you seem to have a default access combo-box with the value of "whitelist". I installed v2.0 in vmWare, and in niether 1.2.3 or 2.0, I have never seen the option value "whitelist" in the default access combo box.

    I had initially put on shalla blacklist, but after I encountered this not working, disabled the blacklist so that I can learn with a very simple ruleset. I am at a loss as to why, and suppose it must be due to transparent proxy enabled.

    My goal is not too complicated really, maybe I should approach it a different way. I want to be able to map all my LAN IPs, to a static IP mapped in pfSense. Then my dhcp range can be narrow, for any guests. Then I was going to apply a squid guard group ACL for my known IPs which would grant free access, a different group ACL for my kids known IPs, which would grant them only to safe sites, and then I was going to force all other IPs within the subnet into the kids ACL, so that any visitor would, without my permission, only get what my kids get. This is because they bring wireless devices/laptops over and up till now I have no control using my normal Dlink router.

    If I had to use standard proxy (without transparent), I was concerned that a saavy user would simply change proxy setting in OS, or guest machines would not have it set to proxy 8080 or whatever I used. My next step is to perhaps look and see if I can't just forward all tcp 80 traffic to the proxy port. I haven't used iptables much really, I am normally a windows user, but it seems a logical step, to force the whole subnet or a segment of the subnet to use the proxy port.

    Thanks for replying. Hopefully you can steer me in the right direction.


  • I am confused now.

    My pfSense box is using PPPoE on the NIC to the dsl modem.
    It is at on the LAN side.
    I configured Squid to use default 3128 port for proxy. I turned off transparent proxy.
    I configured browser to use proxy
    I deleted all Group ACL.
    I created TargetCategory named KIDS to allow one domain: lego.com.
    I set the Common ACL to allow (also tried whitelist) and set Default Access to deny.
    Proxied browser gets error 403 forbidden when going to any website, including lego.com.
    Non-proxied browser can go anywhere (as expected).

    It seems something is not working at a very basic level then?


    EDIT: I have making sure to hit save and then apply, and even did a reboot just in case, makes no difference it seems.

  • It gets a little stranger.

    Here is my KIDS TargetCategory (domains list)

    lego.com starwars.com barbie.com

    I decided to add a few more. With more than one (lego.com) in the list, now it works, sort of. If I navigate to google.com, it is denied, as expected. If I navigate to lego.com, it is denied, not expected. If I navigate to either starwars.com or barbie.com, it works. For some reason, the first entry (or a lone entry) is being blocked.


  • That's strange. I am using more than one domain list, too, and it is working as it should. It is working with the first and the last domain in the list… I am not at work the next two weeks so I could not test my configuration with an actual snapshot of pfsense but on end july it has worked ;)

    Perhaps you can try to enter the domail "lego.com" twice in the list.

    lego.com lego.com barbie.com starwars.com

    Further you could check the logs of squidguard. perhaps there are some information.
    Did you check the box "Not to allow IP addresses in URL"? This should be UNchecked on "Common ACL" and checked on "Group ACL". If this is you actual configuration then try to UNcheck in "Group ACL".

  • Well, since I am experimenting with this, I went ahead and reinstalled. I configured all my settings the way I wanted them, then installed squid and squidguard. I got squid working first, verified it blocked transparently. Next I enabled squidguard, and followed your examples. For whatever reason, it works fine now. Perhaps there was a messed up config file somewhere before.

    I have not installed Shalla blacklist yet. I have 3 target categories and 2 group acls, and it appears to work with transparent proxy.

    If I wanted to look at logs, would I have to check the option in the squid or squidguard area, and then check the package logs? I looked for the logs, but only see system logs which squid is not present.

    Can anyone give some clarification then on the hierarchy of this? For example, I think it works like this, but not sure.

    Incoming request with transparent proxy enabled
    bypasses iptables
    goes to squid, if bypass for source IP matches, then goes to iptables
    goes to squid guard
    if no match of group acl, then uses common acl
    if match on group acl, then group acl are examined
    if IP exist in first group ACL, filters applied, subsequent ACLs don't matter
    if IP not exist in first group ACL, step to next group ACL until match is found

    Once request is filtered to common ACL or group ACL, filtering works like this:
    any custom targets with allow or whitelist are approved, traffic request allowed outbound
    if no whitelist or allow is found, then requests are either allowed or denied according the DefaultAccess

    Does that sound correct?

    Then, I can create a Group ACL for lets say 2 IPs, with some allowed whitelist domains, and the last Group ACL would be for the whole subnet or a range of the subnet, which would apply to every IP "except" those 2 in the prior group ACLs. Correct?

    Thanks for taking the time to help. Much appreciated.


  • Hi sully,

    thanks for your feedback. Nice to hear, that it is working now and we didn't something wrong :)

    If you like to see, if squidguard is blocking sites correctly than you have to enable the logs in squidguard. In squidguard there is a tab "Log" in which you find all logs according to squidguard. So here you can see if you son is browsing lego.com and then there is a redirect to another domain, e.g. lego-xyz.com and then this page will be blocked. so you are able to find out the URL which is blocked and than can add this to your target rules.

    The logging capability of squid is for the whole traffic which passes squid. it shows you urls, ips. I think this is not what you intend to do.

    How the hierarchy is working exaclty I do not know because I just have got one target rule and one Group ACL. But your order sounds good. But in Group ACL you have one option on top "Order". I think this is the order the Group ACLs will be apllied. If you do further tests in this case please post back your results.

Log in to reply