Help - Web Filtering with SquidGuard



  • Hello all,
    I am trying to block Facebook on a small office network per request of the owner, but I am having difficulty getting it to work properly.

    Box Information

    • 2.0.3-RELEASE (i386)
    built on Fri Apr 12 10:22:57 EDT 2013
    • Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz
    • Uptime: 64 days, 14:31

    Interfaces

    • NIC 1 = wan
    • NIC 2 = lan (Only available to office PC’s)
    • NIC 3 = opt1 ( Netgear Wireless n900 not bridged to network )

    Packages Installed

    • Mailreport 2.0.4
    • Squid 2.7.9
    • squidGuard 1.4_4 pkg v.1.9.5
    • Widescreen 0.2

    Here is the scenario:
    • I need Facebook blocked 2 specific IP address in the building ( bad employees ).
    • I can only seem to block Facebook to the entire network.
    • It will only work under common ACL.
    • If I add the 2 specific IPS under Groups ACL in the Client (Source) field it will not work.
    • I had to manually tell Mozilla Firefox on all the PC’s to use my 192.168.1.1 port 3121 so they would get filtered correctly; I.E 9 and Chrome do it automatically.

    Questions
    • How do I do this correctly so it blocks just the 2 Static IP addresses in my network and the rest of the network is essentially exempt from this block? ( except for https traffic, I know squid can’t block https and I have to do it at the firewall Rule level)
    • Am I capable of just blocking a single interface and not touching my opt1 ( wifi network )
    • Under the services tab, does proxy server affect how proxy filter behaves?



  • Hi,

    you are right with blocking https on squid2.x is not possible in transparent mode. But try with squid 3.3.5 (search the forum form mor einformation about this dev package) which can do that ins transparent mode - if you like.

    In general I would suggest to add static DHCP mappings for the computers on the LAN you want to block. Best would be to put them in a range lets say 192.168.100.20-192.168.100.25.

    Then go to squidguard and create a "Target category" which contains the URLs, domains or expressions you would like to block
    Then go to squidguard and create a "Group ACL" with the IPs as source you want to block and set the default rule to "allow" and the target categroy you created to "block". then save this.
    On "common ACL" set everything to allow. Click on "save" and then again click on "Apply"

    After that squidguard should block webtraffic as long as it is not https traffic.

    The wifi network will be covered by "Common ACL" but if you want to make sure it will not be blocked create another "Group ACL" and configure the complete network as source and just allow anything for that network.

    But be careful with different Group ACLs. The order must be the correct one.

    Example:
    Group ACL A on first position with source 192.168.100.0/24 allows all traffic
    Group ACL B on second position with source 192.168.100.20-192.168.100.25 blocks all traffic

    Group ACL B will not work because Group A allows all traffic. So put B on first position so that this traffic will be blocked before it will be allowed for the other IPs on second ACL.



  • Well I tried what you suggested.
    Installed squid3 - then the whole proxy stopped and would not restart. I tried various things nothing worked.

    Uninstalled it and reverted  back to original version and now it will not come up either, removed it all rebooted re install still nothing :(

    I now just have facebook being blocked at the lan rule level, this unfortunately affects the entire network for now but at least its being blocked.



  • @virtualliquid:

    Well I tried what you suggested.
    Installed squid3 - then the whole proxy stopped and would not restart. I tried various things nothing worked.

    Uninstalled it and reverted  back to original version and now it will not come up either, removed it all rebooted re install still nothing :(

    I now just have facebook being blocked at the lan rule level, this unfortunately affects the entire network for now but at least its being blocked.

    apparently it matters in what order you install them in.
    I had to install squid squid3 first then squidguard. Then it worked.. weird, or I just have bad luck. Now to see if this config works.



  • @virtualliquid

    squid and squidguard installation is a bit tricky and it depends on what pfsense version you are working:

    pfsense 2.0.x
    squidguard package contains squid2.7 binaries. So if you want to run squid2.7 package and squidguard package all works with a simple installation.

    if you want to have squid3 running with squidguard you need to do this:
    1.) install squid3
    2.) install squidguard (which unfortunately installs squid2 over squid3)
    3.) reinstall squid3 package
    Done.

    On pfsense 2.1 there is a new squidguard-squid3 package. This is squidguard with squid3 binaries.
    So you just need:
    1.) install squid3
    2.) install squidguard-squid3
    Done.

    Hopefully this will help you.

    PS: As far as I know on squid3 the squidguard process only starts when needed and the service is stopped when not needed.