Squidguard… problems and questions



  • I'm glad to see that the Squidguard package install is working again - I thought I had broken something when I upgraded to 1.2Rel.  But…

    I'm having trouble setting up SquidGuard; I've gone through the documentation at http://www.squidguard.org/Doc/configure.html and the pfSense-specific quickstart at http://diskatel.narod.ru/sgquick.htm - and I still can't get things right.  Either it blocks nothing at all, or it shuts down everything, including Google.  I'm sure I'm doing something wrong, but I also have some general questions and (I'm afraid to say it) some small complaints/suggestions about making this easier to understand.

    On the General settings page:  what does the "Blacklist proxy" field do?  In what situation would I use it?

    ====================================

    On the Default page - I only have one column: "Destinations in uptime"; in the Quickstart screenshot there is also  "Destinations in overtime".  Why is mine different from the screenshot - has the program been changed since the screenshot, or am I missing something?

    ====================================

    I was very confused by the Default page (and the ACL page).  I think I understand it now:
    On the bottom line ("Default access [all]"):
    -  if I uncheck the left box and hit Save, then both boxes will be checked, and the Default Destination changes to "!all"
    -  if I uncheck the left box again and hit Save, there is no change - both boxes are checked, Destination "!all"
    -  if I uncheck the right box and hit Save, only the left box is checked and the Destination becomes "all"
    -  if I check the right box and hit Save, both boxes will be checked, and the Default Destination changes to "!all"
      (Why have two checkboxes?  Why not just one, or a pair of radio-buttons?)
    For all other lines (e.g. "[blk_BL_porn]"):
    -  checking the left box determines whether this destination appears in the list at all
    -  checking the right box determines whether it appears as "[blk_BL_porn]" or "![blk_BL_porn]"

    So I think I understand it, but I also think I'm not the only person who will be confused by it at first!

    Also: I downloaded the Shalla blacklists, and now I have 52 categories.  If I want to block them all, it looks like I need to check all 52 left boxes AND all 52 right boxes.  Would it be possible to have a "check all/uncheck all"?  At first I thought that that was what the "Default access" line did, but obviously not.

    ====================================

    What is the relation between Times and "uptime" and "overtime"?  I have defined a Time called "BusinessHours", and set it as "08:00-18:00" M-T-W-Th-F.  Is that "uptime", and "overtime" is everything else?  What if I set another Time, called "Weekend"?  What is "overtime" then - everything not covered by a Time?

    ====================================

    Finally, here's my config…  right now, it blocks NOTHING.  Gaaaaaah!
    I deleted my Times, Destinations, and ACL to make this as simple a case as possible, but it still isn't working...

    /usr/local/etc/squidGuard/squidGuard.conf
    
    # ============================================================
    # SquidGuard configuration file
    #
    # This file generated automaticly with SquidGuard configurator
    #
    # (C)2006 Serg Dvoriancev
    # email: dv_serg@mail.ru
    # ============================================================
    
    logdir /var/squidGuard/log
    dbhome /var/db/squidGuard
    
    dest blk_BL_adv {
    domainlist blk_BL_adv/domains
    urllist blk_BL_adv/urls
    log block.log
    }
    
    ...  (50 other categories) ...
    
    dest blk_BL_webtv {
    domainlist blk_BL_webtv/domains
    urllist blk_BL_webtv/urls
    log block.log
    }
    
    acl {
    default {
    pass !in-addr all
    redirect https://192.168.1.1:9443/sgerror.php?url=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    log block.log
    }
    }
    
    

    I read this as "don't pass anything in the list, but pass everything else".  Am I wrong?

    Thank you!



  • I had for a long time similar problems with squidGuard like you. However, now it is working fine. My two cents:

    Now, if you browse the web, every page should be blocked.

    If this does not work, go to the shell and type 'more /var/squid/log'

    If you see some errors when loading the blacklist, like 'permission denied' or something you have to fix the permissions of the blacklist.

    In order to do that I just typed ' chown -R proxy:proxy /var/squidGuard' (This tip comes from http://meadvillelibrary.org/os/filtering/squidGuard-install.html)

    After that, everything worked fine.



  • On the Default page - I only have one column: "Destinations in uptime"; in the Quickstart screenshot there is also  "Destinations in overtime".  Why is mine different from the screenshot - has the program been changed since the screenshot, or am I missing something?

    This option removed from Default page. Doc now not updated - need my free time.

    On the General settings page:  what does the "Blacklist proxy" field do?  In what situation would I use it?
    

    Proxy for downloading blacklist, if this need(leave empty, if not need).

    On the bottom line ("Default access [all]"):
    -   if I uncheck the left box and hit Save, then both boxes will be checked, and the

    Probably need change behavior, if this scares. For Blocking access need You must always check 'All' and allow/deny access via 'Deny access checkbox'. By default access [All=Deny]

    If I want to block them all, it looks like I need to check all 52 left boxes AND all 52 right boxes.  Would it be possible to have a "check all/uncheck all"?

    May be in future.

    What is the relation between Times and "uptime" and "overtime"?

    Uptime - range of time defined by you. Uptime - all other time - outside of this range.

    Finally, here's my config…  right now, it blocks NOTHING.  Gaaaaaah!
    I deleted my Times, Destinations, and ACL to make this as simple a case as possible, but it still isn't working...
    acl {
    default {
    pass !in-addr all
    redirect https://192.168.1.1:9443/sgerror.php?url=&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    log block.log
    }
    }

    pass !in-addr all < You Allowed ALL - nothing to block.
    squidGuard supported White and Black list's, so you should use Left checkboxes for selecting 'rule' (from blacklist or self) and check 'deny access' checkbox (in right) for deny access for this rule.
    In you situation for full blocking need  check 'Deny access' in 'All' rule.

    PS
    If have any Offers for improvements interface - i ready to consider.



  • pass !in-addr all < You Allowed ALL - nothing to block.
    squidGuard supported White and Black list's, so you should use Left checkboxes for selecting 'rule' (from blacklist or self) and check 'deny access' checkbox (in right) for deny access for this rule.
    In you situation for full blocking need  check 'Deny access' in 'All' rule.

    Sorry, I should have posted a screenshot - the .conf file I posted WAS the result of (I'm not in the office to make a screenshot, so here's a text picture):

    
    [x] [blk_BL_adv]            [x] deny 
    ...
    [x] [blk_BL_webtv]          [x] deny 
    [x] Default access [all]    [ ] deny
    
    

    So let me rephrase my question:  I thought that the following line from the .conf : "pass !in-addr all"
    meant "pass all traffic EXCEPT what matches the categories I've checked off"

    1 - if that's not what it means, what DOES it mean?
    2 - what would a rule look like that DID mean what I want?
    3 - what sequence of checkboxes would generate that rule?
    4 - can I just ignore the GUI and edit the .conf directly - if I did, would my changes be overridden?

    A little background - the main thing I'm trying to block is social-networking sites.  The girls at the front desk have been spending all their time on MySpace, sometimes ignoring patients…  but I do need them to have access to Google, WebMD, etc.  I'd also like to block ads.  So right now I have my own blacklist (myspace.com, facebook.com, adrevolver.com, etc.) loaded into the Squid access control page, and Squidguard is disabled until I can figure this out.

    Once it's working, I'd also like to set:
      times - I'm OK with MySpace after hours and at lunchtime
      ACLs  - the doctors' computers should have no restrictions except ads and spyware.  (One of the doctors loves porn - what can I say?)

    But those can wait until I actually get the Default rule working: to block forbidden traffic while passing legal traffic.

    To clarify my understanding of Times:

    What is the relation between Times and "uptime" and "overtime"?

    Uptime - range of time defined by you. Uptime - all other time - outside of this range.

    So I should ONLY define one Time - let's call it BusinessHours, 08:00-18:00 Monday-Friday.  Any moment that falls inside of that Time - for example, 09:30 on Wednesday - is "uptime", and any moment that falls outside - like midnight on Thursday - is "overtime".  Am I correct?
    Can I define a Time - call it LunchTime - that falls inside of BusinessHours, when things are allowed that would otherwise be blocked?

    Sorry to be so obtuse - I definitely appreciate the help.
    Thanks!



  • I looking config and see, what you not configure you SG. For this scheme




    must have config

    pass !in-addr !blk_BL_adv !blk_BL_webtv all<
    After end configuration you SG, you must press APPLY button on general page.
    This generated new config and started squid & SG with new options.
    –-

    meant "pass all traffic EXCEPT what matches the categories I've checked off"

    4 - can I just ignore the GUI and edit the .conf directly - if I did, would my changes be overridden?

    Yes, you can, but new GUI Apply will rewrite you config (use for edit /usr/local/etc/squid/squidGuard.conf)

    A little background - the main thing I'm trying to block is social-networking sites

    I have the same problem. You can use self Destination for block optional sites. For blocking banners and ads i use expressions 'ads|banner|banners|reclama …'.

    Once it's working, I'd also like to set:
      times - I'm OK with MySpace after hours and at lunchtime

    Use this way:

    • Default page –> Deny All (full blocking)
    • Create Time
    • Create ACL with time and define rules what do or not do at time and overtime
    • ACL's order-based. If you want define ACL 'For-All' and add 'VIP':
      -- you must move 'For-All' ACL at the last order (Source for example '10.0.0.0/24' you subnet)
      -- 'VIP' ACL (Source for example '10.0.0.25') move before 'For-All' ACL
      -- NOTE - you have Default '[x]All–-[x]deny'

    –-
    About Times:
    You can adding several items in one 'Time' rule. This is give any possible variant foor you need's.
    For example you want define time for Monday-Friday 8:00-18:00, exclude LunchTime (12:00-13:00). This possible with short ranges:
    Type    |Days|date|time
    [weekly][mon]–-[08:00-12:00]
    [weekly][mon]–-[13:00-18:00]
    [weekly][tue ]–-[08:00-12:00]
    [weekly][tue ]–-[13:00-18:00]
    [weekly][wed]–-[08:00-12:00]
    [weekly][wed]–-[13:00-18:00]
    [weekly][thu ]–-[08:00-12:00]
    [weekly][thu ]–-[13:00-18:00]
    [weekly][fri   ]–-[08:00-12:00]
    [weekly][fri   ]–-[13:00-18:00]

    All, what included in this ranges - uptime, and any other - overtime (excluded from ranges)

    PS Sorry for my english. I'm not resident this language.



  • @Monoecus:

    I had for a long time similar problems with squidGuard like you. However, now it is working fine. My two cents:

    Now, if you browse the web, every page should be blocked.

    If this does not work, go to the shell and type 'more /var/squid/log'

    If you see some errors when loading the blacklist, like 'permission denied' or something you have to fix the permissions of the blacklist.

    In order to do that I just typed ' chown -R proxy:proxy /var/squidGuard' (This tip comes from http://meadvillelibrary.org/os/filtering/squidGuard-install.html)

    After that, everything worked fine.

    +1
    this helped alot. I was having the same problem that nothing was being blocked. I tried reinstalling squidguard and not uploading any blacklist. I set it to deny all and sure enough it worked. I then uploaded the suggested blacklist and it would not block anything. I followed your advice and checked the log and there were permission problems. To fix mine thought I also had to:
    chown -R proxy:proxy /var/db/squidGurad
    Now everything works perfectly.



  • @wompy:

    I followed your advice and checked the log and there were permission problems. To fix mine thought I also had to:
    chown -R proxy:proxy /var/db/squidGurad
    Now everything works perfectly.

    Thanks, i testing this problem.



  • I am not a programmer, but would like to help if I can. I have been using URLFilter <http: urlfilter.net="">which I have running on IPCOP and looking to see how difficult it'd be to port over to pfsense.  It is all CGI for the gui config interface.  I can send screen shots if you don't have IPCOP and are interested in seeing what has been done for URLFilter.  SquidGuard is an awesome pkg and addition to pfsense, just like to see it get better.  URLFilter has some automated grabbing of the BlackLists db's and lets you choose the BlackList db you wish as well.  The interface is pretty easy as well, however the pfsense SquidGuard pkg may have more capability.

    BTW, where are the php files for SquidGuard config pages?

    Thanks,
    KH</http:>



  • I wanted rich-functional package. Easy interface in this situation non-functional  :-[



  • Don't misunderstand me, I think the package is awesome.  I'm almost ready to move it into production and replace IPCOP.  URLFilter has configuration parameters to pull the blacklist daily, weekly or monthly and apply it.  I have it running very late after hours so no to disrupt anything.  There is also a nice block page which shows client IP, site trying to connect to, and category which triggered the block.

    Is there a way to do the above with this SquidGuard package?

    Thank you,
    KH



  • Okay, problem was with https. I now get a block page.

    Still trying to figure out how to automatically grab new blacklist file.  I can grab via cron, but what would be the commands to reconfigure just like if pressing upload button?

    KH



  • @hinze57:

    Okay, problem was with https. I now get a block page.

    Still trying to figure out how to automatically grab new blacklist file.  I can grab via cron, but what would be the commands to reconfigure just like if pressing upload button?

    KH

    From GUI - nothig
    You may use in you php script
    php function from squidGuard.inc
    sg_reconfigure_blacklist($url, $proxy);

    You can create script and adding him to the cron.

    require_once('squidguard.inc');
    $url="URL";
    sg_reconfigure_blacklist($url, '');
    ...

    squid & squidGuard will restart automaticly

    There is also a nice block page which shows client IP, site trying to connect to, and category which triggered the block. 
    Is there a way to do the above with this SquidGuard package?

    Possible in HTTP webgui & Redirect mode= 'Internal'
    GUI HTTPS - know problem and expected Redirect mode='External' with you self Error-page from external www server

    Test
    http://youpfSense/sgerror.php?url=403 No access&a=10.0.0.0&n=MyClient&i=clientUser&s=clientgroup&t=porno/sex&u=http://porno.ru&



  • I just did a clean pfSense install last night, and managed to get squidGuard running. However, this was very difficult. I had many of the same problems noted here.

    It was VERY touchy. Often squidGuard would say STOPPED. The only way to make it say STARTED was to upload the blacklist again. Then, if I changed ANY setting, the filter would stop working.

    For example: I uploaded the blacklist. Clicked Save. I changed default destination to:```
    !all

    
    I changed squidGuard to:```
    !blk_BL_porn all
    ```I clicked **Apply**. Now nothing was blocked. Porn and everything else was let through. I saw squid logging the website access. I saw no errors of any kind in the squidGuard or the squid logs.
    
    Very frustrating. I checked permissions. I tried changing /var/squidGuard to proxy:proxy (chmod -R proxy:proxy /var/squidGuard). No help.
    
    It was very slow downloading the blacklist over and over, so I fetched it to: /var/tmp/squidGuard/hold/shallalist.tar.gz and set that path for **Blacklist URL**. That way I could just click **Upload Url**, and the DB would be processed again.
    
    Everything works ONLY when I perform the following steps:
    
    1) Change filter settings.
    2) **Apply**.
    3) Click **Upload Url**.
    4) Click **Apply**.
    
    In other words, the filter stops working every time I change a squidGuard setting. It works again if I re-process the database.
    
    As I said, there were never any error messages, so there is nothing I can send from the logs.


  • I had similar problems to you, did you also change permissions to " /var/db/squidGurad" ? that is what finally fixed it for me.
    see my previous post.



  • Thanks!
    I fix bug with '/var/db/squidGuard' right's  in installation.
    Pls test.



  • I have reinstalled pfSense yesterday and could thus test your fixes for the rights. Anything seems to be ok now.

    Many thanks.



  • Is there a way to enable safe search?



  • What do you mean by “safe search”?



  • I have same problem, all is ok but nothing is filtered



  • Renew package (today updated) and try now.



  • I delete and reinstall ?



  • @xhark:

    I delete and reinstall ?

    Hm.. Try full reinstall :D



  • I talk about package ^^



  • @xhark:

    I talk about package ^^

    Yes. Reinstall package



  • It's done but not filtering is active :(

    Can I delete times ?

    here is my log :

    5.05.2008 16:44:52 : sg_reconfigure: Begin.
    15.05.2008 16:44:52 : sg_reconfigure_user_db: Begin with '/var/db/squidGuard'
    15.05.2008 16:44:52 : sg_reconfigure_user_db: Nothing. User destinations list empty.
    15.05.2008 16:44:52 : sg_remove_unused_db_entries: Begin.
    15.05.2008 16:44:52 : sg_remove_unused_db_entries: end
    15.05.2008 16:44:52 : sg_create_config: Create squidGuard config.
    15.05.2008 16:44:52 : sg_create_config: Checking configuration data.
    15.05.2008 16:44:52 : sg_create_config: Error configuration data. It's all errors:
    BLACKLIST 'blk_blacklists_agressif' error: file '/var/db/squidGuard/blk_blacklists_agressif' not found
    BLACKLIST 'blk_blacklists_drugs' error: file '/var/db/squidGuard/blk_blacklists_drugs' not found
    BLACKLIST 'blk_blacklists_mail' error: file '/var/db/squidGuard/blk_blacklists_mail' not found
    BLACKLIST 'blk_blacklists_porn' error: file '/var/db/squidGuard/blk_blacklists_porn' not found
    BLACKLIST 'blk_blacklists_publicite' error: file '/var/db/squidGuard/blk_blacklists_publicite' not found
    BLACKLIST 'blk_blacklists_redirector' error: file '/var/db/squidGuard/blk_blacklists_redirector' not found
    BLACKLIST 'blk_blacklists_violence' error: file '/var/db/squidGuard/blk_blacklists_violence' not found
    15.05.2008 16:44:52 : sg_create_config: Terminated.
    15.05.2008 16:44:52 : sg_create_simple_config: Begin with dbhome='/var/db/squidGuard'.
    15.05.2008 16:44:52 : sg_redirector_base_url: Select redirector base url (https://192.168.0.254/sgerror.php?url=Error! Check squidGuard configuration data. (sg_create_config%3A [2]).&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
    15.05.2008 16:44:52 : sg_reconfigure: Generate squidGuard config and save to '/usr/local/etc/squidGuard/squidGuard.conf'.
    15.05.2008 16:44:52 : squid_reconfigure: Begin.
    15.05.2008 16:44:52 : squid_reconfigure: Remove old redirector options from Squid config.
    15.05.2008 16:44:52 : squid_reconfigure: Add new redirector options to Squid config.
    15.05.2008 16:44:52 : sg_init: Start.
    15.05.2008 16:45:01 : sg_init: Start.
    15.05.2008 16:45:02 : sg_init: Start.



  • Upload blacklist previous version not make blacklist archive. And temporary set HTTP webGUI pfSense. In https can have troubles.



  • What can I do ? If I add small GZ blacklist it's OK, but with big blacklist it fails (ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz)



  • @xhark:

    What can I do ? If I add small GZ blacklist it's OK, but with big blacklist it fails (ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz)

    Check you url manually - may be broken arhive?
    Also looking this http://www.squidguard.org/blacklists.html,
    i use http://www.shallalist.de/Downloads/shallalist.tar.gz



  • Yes I've open this with 7zip without any problem.

    I've test to send this in /tmp/my_directory and precise local directory to SG config, but same problem. I'll test your list and go back here ;)



  • @xhark:

    Yes I've open this with 7zip without any problem.

    I've test to send this in /tmp/my_directory and precise local directory to SG config, but same problem. I'll test your list and go back here ;)

    Ok
    I will test and replay here.



  • I was having some squidguard problems too and tracked down a different issue than what I've seen in this thread.

    I am attempting to run the shallalist rules and after a lot of troubleshooting I finally noticed in the squidguard log that it couldn't find blk_BL_politics

    I noticed that there's a blk_BL_politcs (notice no i) but not one with the proper spelling.  So I just symlinked the proper spelling to the improper spelling and after that it seems to work fine.

    Thanks to the package maintainer for providing this software.


Log in to reply