Understanding SquidGuard ACL - hierarchy

sully

Hello all.

I have been experimenting with pfSense for a few weeks now. I am using 1.2.3 at the moment primarily because most of the information I find is for 1.2.3, v2.0 is not as clear when looking for help. I plan to use 2.0 after I understand what I am doing.

Anyway, I have my pfSense box working fine, I have set my iptable rules and port forwards, all is going as expected. It is a simple setup, one NIC to the DSL Modem, one to the LAN, using 192.168.1.0/24. Pretty basic.

I installed Squid and Squid Guard. Squid works, not too hard to understand. I am currently testing how I can limit my kids and unknown machines to a 'kid friendly' set of websites while allowing my known machines no restrictions.

I created a TargetCategory:
Name:kids-test
Domains:lego.com
no redirect or expressions

I created a group ACL:
Name:test1
Client(source):192.168.1.10 (my computers IP)
Time: not using
TargetRules: kids-test
No redirects or other options needed for this test

I did APPLY this, I understand that has to be done. I do understand that the Default Access [All] target applies to everything. I have seen mention that you would want to use the value "whitelist" for the [All] target group, but I don't see that option. The results are listed here.

Targets:
kids-test (allow) All (allow) – allowed to go anywhere
kids-test (whitelist) All (allow) -- allowed to go anywhere
kids-test (allow) All (deny) -- can go nowhere
kids-test (whitelist) All (deny) -- can go nowhere

I also decided that the common ACL rule might come into play, so I tried the above settings (group ACL) with [All]-deny and [All]-allow in the common ACL menu, but the results did not change.

SquidGuard is working, that much is certain. It denies my computer to go anywhere http when it is engaged, I just cannot get the filtering to work properly.

Next I decided to try out multiple group ACLs. I had thought that perhaps the logic was such that if I created an group ACL for the entire subnet (192.168.1.0/24) and set that to [All]-Deny, and set that as the 2nd ACL (after my test1 ACL), perhaps then the kids sites would be allowed because they were in a target category (whitelisted) but that other requests would fall the the next ACL which would deny all.

I am not exactly a stranger to heirarchy, I understand how it works. I don't see a method to the madness here though, at least not one I can find documented. There are a lot of ways to do this from a prompt, but I don't really have the experience to go mucking around with command line syntax. Besides I had thought it would be pretty straight forward with a nice GUI. There is of course a high probability that I am not doing something correctly. I have read many articles and threads about this, and I thought with my basic test it would work easily, but I was mistaken.

I understand there have been many many questions regarding Squid and SquidGuard. I apologize I have to add yet another one, but after many hours messing with this, I either need some help or I am going to go back to my Dlink router which poses no such problems because it is so void of options  :D

Sul.

sully

This is a good thread, and it seems that it would be very easy to apply.

http://forum.pfsense.org/index.php/topic,39062.msg201339.html#msg201339

I followed this, creating a target to allow lego.com, setting the group acl to my IP, setting the target to whitelist and all to deny. It again denied everything. If I set the target to deny, and all to allow, then it works just as expected, lego.com is denied but all other traffic is allowed.

So the trick it seems it how to get everything denied by default within a group ACL, but still allow the whitelisted target category to get through.

Sul.

Nachtfalke

Group ACL:
kids-test: whitelist
Default access [all]: deny

Common ACL:
kids-test: whitelist
Default access [all]: allow

Did you try this ?

sully

Yes, I did try that.

I was reading your tutorial you put up in that other thread, the one here
http://diskatel.narod.ru/sgquick.htm

and I noticed you mentioned it would not work with transparent proxy

Therefore with transparent proxy squidGuard can use only Common access (‘Default’ page).

I am using transparent proxy. In my testing with transparent proxy, the common ACL has no bearing on the group ACL. I did this:

Group ACL:
kids-test: whitelist or allow
default access:deny

It denies everything, regardless of what common ACL is set to. One thing that confuses me, is that in one or your screenshots from that quick guide, you seem to have a default access combo-box with the value of "whitelist". I installed v2.0 in vmWare, and in niether 1.2.3 or 2.0, I have never seen the option value "whitelist" in the default access combo box.

I had initially put on shalla blacklist, but after I encountered this not working, disabled the blacklist so that I can learn with a very simple ruleset. I am at a loss as to why, and suppose it must be due to transparent proxy enabled.

My goal is not too complicated really, maybe I should approach it a different way. I want to be able to map all my LAN IPs, to a static IP mapped in pfSense. Then my dhcp range can be narrow, for any guests. Then I was going to apply a squid guard group ACL for my known IPs which would grant free access, a different group ACL for my kids known IPs, which would grant them only to safe sites, and then I was going to force all other IPs within the subnet into the kids ACL, so that any visitor would, without my permission, only get what my kids get. This is because they bring wireless devices/laptops over and up till now I have no control using my normal Dlink router.

If I had to use standard proxy (without transparent), I was concerned that a saavy user would simply change proxy setting in OS, or guest machines would not have it set to proxy 8080 or whatever I used. My next step is to perhaps look and see if I can't just forward all tcp 80 traffic to the proxy port. I haven't used iptables much really, I am normally a windows user, but it seems a logical step, to force the whole subnet or a segment of the subnet to use the proxy port.

Thanks for replying. Hopefully you can steer me in the right direction.

Sul.

sully

I am confused now.

My pfSense box is using PPPoE on the NIC to the dsl modem.
It is at 192.168.1.1 on the LAN side.
I configured Squid to use default 3128 port for proxy. I turned off transparent proxy.
I configured browser to use proxy 192.168.1.1:3128.
I deleted all Group ACL.
I created TargetCategory named KIDS to allow one domain: lego.com.
I set the Common ACL to allow (also tried whitelist) and set Default Access to deny.
Proxied browser gets error 403 forbidden when going to any website, including lego.com.
Non-proxied browser can go anywhere (as expected).

It seems something is not working at a very basic level then?

Sul.

EDIT: I have making sure to hit save and then apply, and even did a reboot just in case, makes no difference it seems.

sully

It gets a little stranger.

Here is my KIDS TargetCategory (domains list)

lego.com starwars.com barbie.com

I decided to add a few more. With more than one (lego.com) in the list, now it works, sort of. If I navigate to google.com, it is denied, as expected. If I navigate to lego.com, it is denied, not expected. If I navigate to either starwars.com or barbie.com, it works. For some reason, the first entry (or a lone entry) is being blocked.

Sul.

Nachtfalke

That's strange. I am using more than one domain list, too, and it is working as it should. It is working with the first and the last domain in the list… I am not at work the next two weeks so I could not test my configuration with an actual snapshot of pfsense but on end july it has worked ;)

Perhaps you can try to enter the domail "lego.com" twice in the list.

lego.com lego.com barbie.com starwars.com

Further you could check the logs of squidguard. perhaps there are some information.
Did you check the box "Not to allow IP addresses in URL"? This should be UNchecked on "Common ACL" and checked on "Group ACL". If this is you actual configuration then try to UNcheck in "Group ACL".

sully

Well, since I am experimenting with this, I went ahead and reinstalled. I configured all my settings the way I wanted them, then installed squid and squidguard. I got squid working first, verified it blocked transparently. Next I enabled squidguard, and followed your examples. For whatever reason, it works fine now. Perhaps there was a messed up config file somewhere before.

I have not installed Shalla blacklist yet. I have 3 target categories and 2 group acls, and it appears to work with transparent proxy.

If I wanted to look at logs, would I have to check the option in the squid or squidguard area, and then check the package logs? I looked for the logs, but only see system logs which squid is not present.

Can anyone give some clarification then on the hierarchy of this? For example, I think it works like this, but not sure.

Incoming request with transparent proxy enabled
bypasses iptables
goes to squid, if bypass for source IP matches, then goes to iptables
else
goes to squid guard
if no match of group acl, then uses common acl
if match on group acl, then group acl are examined
if IP exist in first group ACL, filters applied, subsequent ACLs don't matter
if IP not exist in first group ACL, step to next group ACL until match is found

Once request is filtered to common ACL or group ACL, filtering works like this:
any custom targets with allow or whitelist are approved, traffic request allowed outbound
if no whitelist or allow is found, then requests are either allowed or denied according the DefaultAccess

Does that sound correct?

Then, I can create a Group ACL for lets say 2 IPs, with some allowed whitelist domains, and the last Group ACL would be for the whole subnet or a range of the subnet, which would apply to every IP "except" those 2 in the prior group ACLs. Correct?

Thanks for taking the time to help. Much appreciated.

Sul.

Nachtfalke

Hi sully,

thanks for your feedback. Nice to hear, that it is working now and we didn't something wrong :)

If you like to see, if squidguard is blocking sites correctly than you have to enable the logs in squidguard. In squidguard there is a tab "Log" in which you find all logs according to squidguard. So here you can see if you son is browsing lego.com and then there is a redirect to another domain, e.g. lego-xyz.com and then this page will be blocked. so you are able to find out the URL which is blocked and than can add this to your target rules.

The logging capability of squid is for the whole traffic which passes squid. it shows you urls, ips. I think this is not what you intend to do.

How the hierarchy is working exaclty I do not know because I just have got one target rule and one Group ACL. But your order sounds good. But in Group ACL you have one option on top "Order". I think this is the order the Group ACLs will be apllied. If you do further tests in this case please post back your results.