Squidguard: setup with two time setups doesnt work



  • System:

    pfSense 2.0 i386
    Squid: 2.7.9_4.2
    Squidguard: 1.4_2 pkg v.1.9

    I need a setup with three different time based restriction periods:

    1: allow all except some website (ie. xxx) –> Did this with Common ACL, allow all and block certain categories
    2: only allow one website between x pm and y pm --> Made a time for this period, a target category for this one website, added a group ACL wich allows in that timezone, only the allowed target category and for all sites: deny all ontime (and allow offtime)
    3: allow all except some more website (ie. social net) between y pm and z pm --> Made a second time for this period, added a group ACL wich blocks social net. ontime and allows it offtime.

    Everthing works untill the 3rd group ACL is made.
    During period 2, everything works out fine.
    During period 3, people can browse EVERY site (common ACL deny and Group ACL for that time period are ignored)
    During period 1, people can browse EVERy site (common ACL deny are ignored)

    When i switch Group ACL 2 and 3 from order, social network sites are blocked, but the common ACL is still ignored.





  • @dvserg:

    Look this
    http://diskatel.narod.ru/sgquick.htm

    Thank you for being so ignorant by not answering/reading my question and sending me to a default 'howto setup' squidguard page.
    Maybe you could have answered: google
    Would have saved you copy/pasting the link….

    My squidguard is already running with the setup described in my post but doesn't do what it's supposed to do. A default setup guide won't help me with this...

    So I'll try again: when I enter a second Group ACL with a specific time period, the common ACL's are ignored (ontime and offtime) and the second group ACL doesnt deny the 'blocked' sites (ontime)



  • I need a setup with three different time based restriction periods:

    1: allow all except some website (ie. xxx) –> Did this with Common ACL, allow all and block certain categories
    2: only allow one website between x pm and y pm --> Made a time for this period, a target category for this one website, added a group ACL wich allows in that timezone, only the allowed target category and for all sites: deny all ontime (and allow offtime)
    3: allow all except some more website (ie. social net) between y pm and z pm --> Made a second time for this period, added a group ACL wich blocks social net. ontime and allows it offtime.

    I'm sorry, I did not know that you've already seen this link http://diskatel.narod.ru/sgquick.htm :

    Access Control List (ACL)

    For extended possibilities you can manage selected clients via ACL rules

    Notes:
    ACL must have unique name.
    You can disable and enable this rule with Disable option
    ACL based on first-Order position. If source IP you clients found first ACL in list – his will processed with rule.
    Error example:
     0-order A_rule for Source 10.0.0.0/24
     1-order B_rile for Source 10.0.0.15. In this situation
    In this situation B_rule never applying for 10.0.0.15 source, becose A_rule already worked
    Right example:
    0-order B_rule for Source 10.0.0.15
    1-order A_rile for Source 10.0.0.0/24


    If exists matched ACL - will work first-matched ACL, otherwise will work Common ACL.



  • So technically, it is impossible to have a system with three different "time rules".

    Common rule: deny 'forbidden' websites (ie. xxx)
    Rule 0: deny all websites except allowed website - offtime: allow normal situation (common rules apply) this between 14-16h for specified subnet.
    Rule 1: deny all specified categories - offtime: allow normal situation (common rules should apply) this between 16-18h for same specified subnet.

    If I understand the document correctly, this means that between 16-18h Rule 0 will apply but then with the offtime settings where I want to have the ontime rules from Rule 1 used. So three different "time rules" for the same netwerk set is impossible?

    This also doesnt explain why xxx websites aren't blocked in offtime of Rule 0. BLK_Porn has in the offtime of Rule 0 a "–--" so the common rule should apply wich is deny. This only works like this when I remove Rule 1.



  • @klazoid:

    So three different "time rules" for the same netwerk set is impossible?

    Yes, impossible.
    One SRC Client = One ACL.
    Each ACL have 2 rulesets managed by Time ((1) on-time rules / (2) off-time rules)



  • Thx, that's what I wanted to know (but don't like as the answer :) )


Log in to reply