Time Based restriction with Squid & Squid Guard

kalu

Hi friends.
I have setup squid and squid guard on my pfsense box.
it's working perfect but i cannot manage to work with time based restriction.
in my opinion i did everything right but the filter is still locking users even after officer hours which i defined in Time.

============================================================

SquidGuard configuration file

This file generated automaticly with SquidGuard configurator

(C)2006 Serg Dvoriancev

email: dv_serg@mail.ru

============================================================

logdir /var/squidGuard/log
dbhome /var/db/squidGuard

office-Hours 9:00AM to 17:00PM

time Office__Hours {
weekly * 09:00-17:00
}

Facebook Book Allowed IP ACL

src FB-Allow-ACL {
ip 192.168.110
ip 192.168.251
ip 192.168.249
ip 192.168.114
ip 192.168.113
}

Facebook Book Block ACL

src FB-Block-ACL {
ip 192.168.0/24
}

block-facebook-during-office-hours

dest block-facebook {
domainlist block-facebook/domains
}

rew safesearch {
s@(google../search?.q=.)@&safe=active@i
s@(google../images.q=.)@&safe=active@i
s@(google../groups.q=.)@&safe=active@i
s@(google../news.q=.)@&safe=active@i
s@(yandex../yandsearch?.text=.)@&fyandex=1@i
s@(search.yahoo../search.p=.)@&vm=r&v=1@i
s@(search.live../.q=.)@&adlt=strict@i
s@(search.msn../.q=.)@&adlt=strict@i
s@(.bing..*/.q=.)@&adlt=strict@i
}

acl {

Facebook Book Allowed IP ACL

FB-Allow-ACL {
pass block-facebook all
}

Facebook Book Block ACL

FB-Block-ACL within Office__Hours {
pass !block-facebook all
} else {
pass block-facebook all
redirect http://192.168.250:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
}

default {
pass all
redirect http://192.168.250:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
}
}

i would appreciate if any of you unix and pfsense nerds could help me find out where i went wrong
thanks
kalu

kalu

extreme apologies my subnet is 192.168.1.0/24
for some reason while copy & paste i missed out 1

marcelloc

Take a look on this topic
http://forum.pfsense.org/index.php/topic,41747.msg222093.html#msg222093

kalu

Thanks marcelloc i'll try that

kalu

sorry to let you know that . It didn't worked.
If i restart the squidguard. The rules works
so for the time being i had to restart the squid after office hours.
:(
any helping hands is really appreciated

marcelloc

Are you using a custom error page on squidguard?

can you include a expire now html code on it?

or

kalu

Hi
No, I'm not using custom error page.

phil.davis

We (kalu and I) have made a custom error page with the code above and some text. It happily redirects there when the page is blocked. But still, SquidGuard does not change from blocking to unblocking and vice-versa at the nominated times. SquidGuard comes up correctly according to the system time when the system boots, or when we restart SquidGuard. But it doesn't seem to take any notice of the current system time as the date/time changes.
We are seeing this on all 4 of our pfSense systems running 2.0.1 nanobsd on Alix boards from NetGate. It seems that some people have this problem, but others do not. Maybe this is related to nanobsd? Maybe there is something in the way that SquidGuard knows the system time that is not working properly on nanobsd? Something related to directories that are readonly on nanoBSD? I am just guessing!
Does anyone have SquidGuard working with times on nanobsd?
The current workaround is to restart SquidGuard as we arrive in the morning and leave in the evening - at the rule time change points.
If anyone can see the problem with our settings, we will be grateful.

SQ-general.png_thumb

SQ-common-ACL.GIF_thumb

SQ-Group-ACL.GIF_thumb

SQ-categories.png_thumb

SQ-times.png_thumb

itsmorefun

Same problem for me :-(

codemarauder

I am also facing the same problem with pfSense 2.0.1, squidGuard 1.4_2 pkg v.1.9.1 and squid 2.7.9 pkg v.4.3.1 on Atom D410 machine serving 300 users.

When squidGuard used to work properly, there were messages in the log file /var/squidGuard/log/squidGuard.log to that effect:


2012-02-29 11:26:33 [47310] Info: recalculating alarm in 3505 seconds

But now, it doesn't do it automatically. Also, I am seeing a lot of messages to by-pass attempts using multiple slashes:


2012-02-29 11:30:21 [47310] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://www.microsoft.com/genuine//static/images/wol/Win7TopLogo.png
2012-02-29 11:30:21 [47310] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://www.microsoft.com/genuine//static/images/wol/merged/gl_horizontal_grad_search.png

The workaround for now is a script that restarts squidGuard every 30 minutes from a remote server by logging onto webGUI over https.

kalu

Yes, i'm thinking of a cron job to restart squidguard that executes at 9:00AM and 17:00PM
:(

phil.davis

I'm sure I noticed this problem on V2.0 also - I don't think that it is a V2.0.1 regression.

muffin

Also having the same problem here running 2.0-RC1.
Squid: 2.7.9 pkg v.4.3.1
Squidguard: 1.4_2 pkg v.1.9.1

I also get the logs about a 'Possible bypass attempt'.

Any news on a fix? Have been through this thread: http://forum.pfsense.org/index.php/topic,41747.msg222093.html#msg222093
But the fix did not work for me.

marcelloc

Did you configured error response to 302?
http://forum.pfsense.org/index.php/topic,41747.msg225863.html#msg225863

codemarauder

No. It's set at "int error page (enter error message)"

It's not a browser cache issue. I have also tested simply doing

"telnet <ip-address>3128"

and requesting page with

"GET http://in.rediff.com HTTP/1.0"
<enter><enter>SquidGuard tells in the log whenever it kicks a scheduler by logging " recalculating alarm in xxx seconds" depending on how many seconds are remaining to kick on or off a scheduler.

My observation is that it forgets about it's timekeeping job, until kicked with a reconfigure command.</enter></enter></ip-address>

kalu

i agree with codemarauder

codemarauder

Bumping just to see if there is any interest alive in resolving the issue.

I am still doing "Apply" every 30 mins to keep its scheduler sane.

marcelloc

You can workaround this with a script on cron until somebody finds what is wrong.

phil.davis

I am hoping to test soon on a 2.1DEV test system to see if FreeBSD 8.3 is any better or different. I am just having trouble getting Squid to install on 2.1 at the moment.

marcelloc

You can install squid using pkg_add.

Take a look on files.pfsense.org

After you copy squid link, just do Pkg_add -r link_to_squid_package from console