Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange SquidGuard problem.

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Claw22000
      last edited by

      I don't exactly know the best way to explain this but I will give it a shot…

      The Goal is to have a block of 5 ip addresses with less restrictions like Torrent usage and the like.  So I setup Squid guard in this manner,

      1.) Common ACL is only blocking the spyware with a default of allow.
      2.) Group ACL (everyone else) Blocking Porn, warez, dating, everything else sex related, ect
      3.) Group ACL (allowed block) told to allow all these things.

      What I end up with is after I check the settings it does as it should allows me to access torrents and the like on my wife and I's computers.  While blocking these on the kids computers.  I come back an hour later and its not blocking anything on any of the devices.

      What I have tried.  I setup all the blocking in the Common ACL and allowed it in the Group of IP's.  this just blocks all that for everyone no matter what I have in the Group ACL settings.

      I did google this and searched the forums.  That being said I don't know exactly how to word what I'm looking for and the end result, not being able to find any information about this.  If someone could help or point me to the correct help that would be awesome.

      Thanks in advance for you time.

      DrClaw

      DrClaw

      1 Reply Last reply Reply Quote 0
      • G
        golmaal
        last edited by

        Maybe I haven't understood your problem correctly, but this may help:

        SquidGuard (and the firewall rules too) works on the basis of first-match. The filtering rules do not cascade.

        Let us say you have Group ACL X and Group ACL Y (in that order) and then Common ACL. When someone accesses the Internet, SquidGuard tries to first match it with Group ACL X. If the match is positive (i.e. if the IP or the user belongs to Group ACL X), the Group ACL X will apply to it irrespective of your Common ACL and other Group ACL. Once the match is positive, it won't filter it using any other Group ACL or Common ACL. If the first match fails, it will try to  match it to Group ACL Y; if it matches, Group ACL Y will apply to it. If there are no matches, Common ACL will apply.

        So you need something like this:

        Group ACL X: Block Porn, Block P2P, Allow All
        Group ACL Y: Allow All
        Common ACL: Block All

        1 Reply Last reply Reply Quote 0
        • C
          Claw22000
          last edited by

          @golmaal:

          Maybe I haven't understood your problem correctly, but this may help:

          SquidGuard (and the firewall rules too) works on the basis of first-match. The filtering rules do not cascade.

          Let us say you have Group ACL X and Group ACL Y (in that order) and then Common ACL. When someone accesses the Internet, SquidGuard tries to first match it with Group ACL X. If the match is positive (i.e. if the IP or the user belongs to Group ACL X), the Group ACL X will apply to it irrespective of your Common ACL and other Group ACL. Once the match is positive, it won't filter it using any other Group ACL or Common ACL. If the first match fails, it will try to  match it to Group ACL Y; if it matches, Group ACL Y will apply to it. If there are no matches, Common ACL will apply.

          So you need something like this:

          Group ACL X: Block Porn, Block P2P, Allow All
          Group ACL Y: Allow All
          Common ACL: Block All

          I will try this as soon as I get time to use mess around with it again..

          Thanks for the reply.  I will post what I find.

          DrClaw

          DrClaw

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.