Firewall Rule, Squid and Squidguard
Hi to all,
I have a firewall rule that allow specific ip addresses which is group into an alias. This group is allowed to access any sites that is on standard port 80 and allow only https traffic to gmail. This works well if i do not enable the squidguard service, firewall rule and squid only. I want to use squidguard so that I can still control access to other websites. But if I enable squidguard, setting the policy then applying and saving the config, this seems not to work. If i try to access gmail.com, accounts.google.com or mail.google.com, the page just turn white and not loading anything. I do a ping on google and it is responding. If I try to connect to other sites running at port 80 which is in the block list, the blocking page appears. If a access a site that is allowed, it display the page.
I have added all the domains and ip addresses of google on the whitelist in squidguard and on squid but nothing seems to happen.
Do I have to add additional configurations on squid or squidguard for this to work.
I'm using SquidGuard with Shallalist.de (blacklist) to block ads but the list also blocks sites like kijiji.com Using squid's whitelist didn't help, I had to create an entry under the Target Categories tab of the SquidGuard:General Settings and applied it under the Groups ACL tab on the same page.
Putting the [blk_BL_webmail] on the whitelist do the job ..although other webmails like from yahoo will open but after you login the page cannot be displayed..I think this okay for now.. i will try how can i copy the db and txt files of this category and edit it to only allow gmail…
You shouldn't have to manually edit the db, set [blk_BL_webmail] to deny and add
gmail.com accounts.google.com mail.google.com (separated by a space only)
to the Target Categories in SquidGuard:General Settings.
Be sure to set the Order to your whitelist name. Save then click Apply on the General tab. This works for adwords.google.com while using [blk_BL_adv] (acess:deny), an almost identical situation.
[Correction: I am not using the Groups ACL tab like I first mentioned.]
okay my bad :)..i made a category named gmail_only and put in the gmail domains… i remembered that it is recommended to create whitelist and blacklist category and assign domains on those category accordingly. Although i create different category name in my other deployment and it seems to work fine. Thank you randy for your assistance. Now it is working as expected..
Yes, whitelists go before blacklists. That's all.
If you need to do something like
!block_bad_words filter_some_domains !block_with_big_black_lists
you can see a trick at https://forum.pfsense.org/index.php?topic=73759.msg404261#msg404261