SquidGuard on 2.2 not blocking was on 2.1


  • I was able to get squid and squidguard loaded after upgrading to pfsense 2.2.  However, it no longer blocks the categories I set.  I did the  normal procedure I did in 2.1 (configure, hit save and then apply).  I see nothing in my logs either.  This was working to block 2 interfaces (public 10.2.0.0 and private 10.255.0.0 ).

    Any ideas on what might be wrong????

    Thanks!
    Rob


  • No idea, and I have little interest in reading through that massive wall of text.  Any time I have problems with a package like that that's simple to configure, I just remove it and install it again.  I've noticed sometimes that both the Squid and SquidGuard packages need to be installed twice to work right.  Ran into it last night in my home lab.  Had to install SquidGuard and then click the PKG button to reinstall to get it working.


  • I have tried all combinations of squid and squidguard on 2.2 and squidguard never works after rebooting.  After rebooting you must import the blackilists again, then it will work.


  • @gmorgen1:

    I have tried all combinations of squid and squidguard on 2.2 and squidguard never works after rebooting.  After rebooting you must import the blackilists again, then it will work.

    How to fix it?


  • I reinstall squidguard from the installed packages.  If I don't, here is what happens.  Install squid (see it is running) then I install squidguard, download the blacklist, set  ACLS, hit save, hit save on the first tab then APPLY.  It attempts to start and then brings down squid.  After I reinstall squidguard from the installed packages page, it repairs something in order to get it to run.  As you can see though it isn't blocking though.


  • I read the squidguard documentation and it said to test your config via something like

    echo "http://www.playboy.com 10.2.0.1/ - - GET" | /usr/pbi/squidguard-i386/bin/squidGuard -c /usr/pbi/squidguard-i386/etc/squidGuard/squidGuard.conf

    I ran that from the Diagnostic –>  Command Prompt AND ....

    it did block it and I see the block in the log!  However, if I try to hit the same url from my browser it serves it up.

    Any areas I should poke around in?  Thanks everyone.

    rob


  • Which browser?  What mode is Squid running in, standard or transparent?  Is the content cached from a previous page load before the block?  Go to a new site like Penthouse or Hustler and see if it's blocked.


  • Chrome on any OS
    Browser(s) Cache cleared
    Squid running in Transparent
    Tried penthouse on browser and it let it through
    Issue Command from pfSense Admin Command Prompt to try penthouse and it blocked it.


  • I have to ask the obvious question: do you have your browser set to use the proxy?  Have you blocked ports 80 and 443 on LAN so that clients must use the proxy?


  • I am glad you are asking the obvious questions!  I looked at the firewall rules (assuming that is the right place) and I don't see any specific rules for 80 or 443.  Maybe the upgrade lost them and it has worked for so long that I forgot about the obvious. If I am using transparent mode then what should I see in the way of rules?

    Thanks so much for your help.
    Rob


  • All you need is an alias to hold the ports and a single rule on LAN.  Go to Firewall - Aliases - Ports.  Create a new alias and add ports 80 and 443 to it.  Go to Firewall - Rules - LAN.  Add a LAN rule like you see in the screenshot with the red arrow.  Everything should be pretty obvious other than the Destination Port Range.  Set it to (other) and then type & pick your alias in the red box.



  • If I block port 443 that will cause https to fail right?  If I want to make that work, can you point me to the instructions for making that work i.e. block when needed.

    Thanks!
    Rob