[SOLUCIONADO] Squidguard para varias subredes

MichelR

Hola a tod@s, tengo una duda con squidguard. Tengo creadas 2 subredes 172.26.0.0/24 (LAN) y 172.26.1.0/24 (WIRELESS), esta última con DHCP de pfSense, hasta aquí todo bien, se navega desde ambas redes y con squid puedo filtrar, pero… siempre hay un pero, con squidguard no me filtra nada en la red wireless. Es que squidguard sólo funciona para la red LAN ? tengo squid 3 y squidguard.

Un saludo

acriollo

Hola, tienes especificado en el squid que escuche para las dos redes ?

en squidguard tienes dado de alta algun target para la red wireless ?

puedes colocar aqui la config de tus servicios ?

Saludos

MichelR

Hola acriollo, si tengo especificado las dos redes. En cuanto al tema del target tengo definidos varios en squidguard con páginas aceptadas y bloquedas.

Todo lo estoy haciendo desde la gui.

Squid.conf:

This file is automatically generated by pfSense

Do not edit manually !

http_port 172.26.0.5:3128
http_port 172.26.1.1:3128
icp_port 0
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language es-es
icon_directory /usr/pbi/squid-i386/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-i386/local/libexec/squid/pinger

logfile_rotate 7
debug_options rotate=7
shutdown_lifetime 3 seconds

Allow local network(s) on interface(s)

acl localnet src  172.26.0.0/24 172.26.1.0/24
forwarded_for on
uri_whitespace strip

Break HTTP standard for flash videos. Keep them in cache even if asked not to.

refresh_pattern -i .flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private

Let the clients favorite video site through with full caching

acl youtube dstdomain .youtube.com
cache allow youtube

Windows Update refresh_pattern

range_offset_limit -1
refresh_pattern -i microsoft.com/..(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/..(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

Avast refresh_pattern

range_offset_limit -1
refresh_pattern avast.com/.*.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims

Avira refresh_pattern

range_offset_limit -1
refresh_pattern personal.avira-update.com/.*.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims

cache_mem 750 MB
maximum_object_size_in_memory 64 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /var/squid/cache 100000 64 256
minimum_object_size 0 KB
maximum_object_size 800000 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|?) 0  0%  0
refresh_pattern .    0  20%  4320

No redirector configured

#Remote proxies

Setup some default acls

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

acl localhost src 127.0.0.1/32

acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535
acl sslports port 443 563  8443 143 993 995 587 465

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

Define protocols used for redirects

acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 172.26.1.0/24 172.26.0.0/24
acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl'
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

Always allow localhost connections

From 3.2 further configuration cleanups have been done to make things easier and safer.

The manager, localhost, and to_localhost ACL definitions are now built-in.

http_access allow localhost

quick_abort_min 0 KB
quick_abort_max 0 KB
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

Reverse Proxy settings

Package Integration

url_rewrite_program /usr/pbi/squidguard-i386/bin/squidGuard -c /usr/pbi/squidguard-i386/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 16 startup=8 idle=4 concurrency=0

Custom options before auth

Block access to blacklist domains

http_access deny blacklist
acl sglog url_regex -i sgr=ACCESSDENIED
http_access deny sglog

Setup allowed acls

Allow local network(s) on interface(s)

http_access allow allowed_subnets
http_access allow localnet

Default block all to be sure

http_access deny allsrc

El caso es que squid si filtra bien para las dos redes, el problema es squidguard que pasa de la red wireless, seguramente me falte algo en la configuración. Llevo poco tiempo con pfSense y me falta mucho por aprender.

acriollo

Puedes pegar aca las pantallas de la config del squidguard ?

MichelR

Ahí va la configuración de squidguard:

============================================================

SquidGuard configuration file

This file generated automaticly with SquidGuard configurator

(C)2006 Serg Dvoriancev

email: dv_serg@mail.ru

============================================================

logdir /var/squidGuard/log
dbhome /var/db/squidGuard

Ips sin restricciones

src VIPS {
ip    172.26.0.33
ip    172.26.0.18
ip    172.26.1.17
ip    172.26.1.18
ip    172.26.0.22
ip    172.26.1.16
ip    172.26.0.77
ip    172.26.0.128
ip    172.26.1.38
log block.log
}

dest blk_BL_adv {
domainlist blk_BL_adv/domains
urllist blk_BL_adv/urls
log block.log
}

dest blk_BL_aggressive {
domainlist blk_BL_aggressive/domains
urllist blk_BL_aggressive/urls
log block.log
}

dest blk_BL_alcohol {
domainlist blk_BL_alcohol/domains
urllist blk_BL_alcohol/urls
log block.log
}

dest blk_BL_anonvpn {
domainlist blk_BL_anonvpn/domains
urllist blk_BL_anonvpn/urls
log block.log
}

dest blk_BL_automobile_bikes {
domainlist blk_BL_automobile_bikes/domains
urllist blk_BL_automobile_bikes/urls
log block.log
}

dest blk_BL_automobile_boats {
domainlist blk_BL_automobile_boats/domains
urllist blk_BL_automobile_boats/urls
log block.log
}

dest blk_BL_automobile_cars {
domainlist blk_BL_automobile_cars/domains
urllist blk_BL_automobile_cars/urls
log block.log
}

dest blk_BL_automobile_planes {
domainlist blk_BL_automobile_planes/domains
urllist blk_BL_automobile_planes/urls
log block.log
}

dest blk_BL_chat {
domainlist blk_BL_chat/domains
urllist blk_BL_chat/urls
log block.log
}

dest blk_BL_costtraps {
domainlist blk_BL_costtraps/domains
urllist blk_BL_costtraps/urls
log block.log
}

dest blk_BL_dating {
domainlist blk_BL_dating/domains
urllist blk_BL_dating/urls
log block.log
}

dest blk_BL_downloads {
domainlist blk_BL_downloads/domains
urllist blk_BL_downloads/urls
log block.log
}

dest blk_BL_drugs {
domainlist blk_BL_drugs/domains
urllist blk_BL_drugs/urls
log block.log
}

dest blk_BL_dynamic {
domainlist blk_BL_dynamic/domains
urllist blk_BL_dynamic/urls
log block.log
}

dest blk_BL_education_schools {
domainlist blk_BL_education_schools/domains
urllist blk_BL_education_schools/urls
log block.log
}

dest blk_BL_finance_banking {
domainlist blk_BL_finance_banking/domains
urllist blk_BL_finance_banking/urls
log block.log
}

dest blk_BL_finance_insurance {
domainlist blk_BL_finance_insurance/domains
urllist blk_BL_finance_insurance/urls
log block.log
}

dest blk_BL_finance_moneylending {
domainlist blk_BL_finance_moneylending/domains
urllist blk_BL_finance_moneylending/urls
log block.log
}

dest blk_BL_finance_other {
domainlist blk_BL_finance_other/domains
urllist blk_BL_finance_other/urls
log block.log
}

dest blk_BL_finance_realestate {
domainlist blk_BL_finance_realestate/domains
urllist blk_BL_finance_realestate/urls
log block.log
}

dest blk_BL_finance_trading {
domainlist blk_BL_finance_trading/domains
urllist blk_BL_finance_trading/urls
log block.log
}

dest blk_BL_fortunetelling {
domainlist blk_BL_fortunetelling/domains
urllist blk_BL_fortunetelling/urls
log block.log
}

dest blk_BL_forum {
domainlist blk_BL_forum/domains
urllist blk_BL_forum/urls
log block.log
}

dest blk_BL_gamble {
domainlist blk_BL_gamble/domains
urllist blk_BL_gamble/urls
log block.log
}

dest blk_BL_government {
domainlist blk_BL_government/domains
urllist blk_BL_government/urls
log block.log
}

dest blk_BL_hacking {
domainlist blk_BL_hacking/domains
urllist blk_BL_hacking/urls
log block.log
}

dest blk_BL_hobby_cooking {
domainlist blk_BL_hobby_cooking/domains
urllist blk_BL_hobby_cooking/urls
log block.log
}

dest blk_BL_hobby_games-misc {
domainlist blk_BL_hobby_games-misc/domains
urllist blk_BL_hobby_games-misc/urls
log block.log
}

dest blk_BL_hobby_games-online {
domainlist blk_BL_hobby_games-online/domains
urllist blk_BL_hobby_games-online/urls
log block.log
}

dest blk_BL_hobby_gardening {
domainlist blk_BL_hobby_gardening/domains
urllist blk_BL_hobby_gardening/urls
log block.log
}

dest blk_BL_hobby_pets {
domainlist blk_BL_hobby_pets/domains
urllist blk_BL_hobby_pets/urls
log block.log
}

dest blk_BL_homestyle {
domainlist blk_BL_homestyle/domains
urllist blk_BL_homestyle/urls
log block.log
}

dest blk_BL_hospitals {
domainlist blk_BL_hospitals/domains
urllist blk_BL_hospitals/urls
log block.log
}

dest blk_BL_imagehosting {
domainlist blk_BL_imagehosting/domains
urllist blk_BL_imagehosting/urls
log block.log
}

dest blk_BL_isp {
domainlist blk_BL_isp/domains
urllist blk_BL_isp/urls
log block.log
}

dest blk_BL_jobsearch {
domainlist blk_BL_jobsearch/domains
urllist blk_BL_jobsearch/urls
log block.log
}

dest blk_BL_library {
domainlist blk_BL_library/domains
urllist blk_BL_library/urls
log block.log
}

dest blk_BL_military {
domainlist blk_BL_military/domains
urllist blk_BL_military/urls
log block.log
}

dest blk_BL_models {
domainlist blk_BL_models/domains
urllist blk_BL_models/urls
log block.log
}

dest blk_BL_movies {
domainlist blk_BL_movies/domains
urllist blk_BL_movies/urls
log block.log
}

dest blk_BL_music {
domainlist blk_BL_music/domains
urllist blk_BL_music/urls
log block.log
}

dest blk_BL_news {
domainlist blk_BL_news/domains
urllist blk_BL_news/urls
log block.log
}

dest blk_BL_podcasts {
domainlist blk_BL_podcasts/domains
urllist blk_BL_podcasts/urls
log block.log
}

dest blk_BL_politics {
domainlist blk_BL_politics/domains
urllist blk_BL_politics/urls
log block.log
}

dest blk_BL_porn {
domainlist blk_BL_porn/domains
urllist blk_BL_porn/urls
log block.log
}

dest blk_BL_radiotv {
domainlist blk_BL_radiotv/domains
urllist blk_BL_radiotv/urls
log block.log
}

dest blk_BL_recreation_humor {
domainlist blk_BL_recreation_humor/domains
urllist blk_BL_recreation_humor/urls
log block.log
}

dest blk_BL_recreation_martialarts {
domainlist blk_BL_recreation_martialarts/domains
urllist blk_BL_recreation_martialarts/urls
log block.log
}

dest blk_BL_recreation_restaurants {
domainlist blk_BL_recreation_restaurants/domains
urllist blk_BL_recreation_restaurants/urls
log block.log
}

dest blk_BL_recreation_sports {
domainlist blk_BL_recreation_sports/domains
urllist blk_BL_recreation_sports/urls
log block.log
}

dest blk_BL_recreation_travel {
domainlist blk_BL_recreation_travel/domains
urllist blk_BL_recreation_travel/urls
log block.log
}

dest blk_BL_recreation_wellness {
domainlist blk_BL_recreation_wellness/domains
urllist blk_BL_recreation_wellness/urls
log block.log
}

dest blk_BL_redirector {
domainlist blk_BL_redirector/domains
urllist blk_BL_redirector/urls
log block.log
}

dest blk_BL_religion {
domainlist blk_BL_religion/domains
urllist blk_BL_religion/urls
log block.log
}

dest blk_BL_remotecontrol {
domainlist blk_BL_remotecontrol/domains
urllist blk_BL_remotecontrol/urls
log block.log
}

dest blk_BL_ringtones {
domainlist blk_BL_ringtones/domains
urllist blk_BL_ringtones/urls
log block.log
}

dest blk_BL_science_astronomy {
domainlist blk_BL_science_astronomy/domains
urllist blk_BL_science_astronomy/urls
log block.log
}

dest blk_BL_science_chemistry {
domainlist blk_BL_science_chemistry/domains
urllist blk_BL_science_chemistry/urls
log block.log
}

dest blk_BL_searchengines {
domainlist blk_BL_searchengines/domains
urllist blk_BL_searchengines/urls
log block.log
}

dest blk_BL_sex_education {
domainlist blk_BL_sex_education/domains
urllist blk_BL_sex_education/urls
log block.log
}

dest blk_BL_sex_lingerie {
domainlist blk_BL_sex_lingerie/domains
urllist blk_BL_sex_lingerie/urls
log block.log
}

dest blk_BL_shopping {
domainlist blk_BL_shopping/domains
urllist blk_BL_shopping/urls
log block.log
}

dest blk_BL_socialnet {
domainlist blk_BL_socialnet/domains
urllist blk_BL_socialnet/urls
log block.log
}

dest blk_BL_spyware {
domainlist blk_BL_spyware/domains
urllist blk_BL_spyware/urls
log block.log
}

dest blk_BL_tracker {
domainlist blk_BL_tracker/domains
urllist blk_BL_tracker/urls
log block.log
}

dest blk_BL_updatesites {
domainlist blk_BL_updatesites/domains
urllist blk_BL_updatesites/urls
log block.log
}

dest blk_BL_urlshortener {
domainlist blk_BL_urlshortener/domains
urllist blk_BL_urlshortener/urls
log block.log
}

dest blk_BL_violence {
domainlist blk_BL_violence/domains
urllist blk_BL_violence/urls
log block.log
}

dest blk_BL_warez {
domainlist blk_BL_warez/domains
urllist blk_BL_warez/urls
log block.log
}

dest blk_BL_weapons {
domainlist blk_BL_weapons/domains
urllist blk_BL_weapons/urls
log block.log
}

dest blk_BL_webmail {
domainlist blk_BL_webmail/domains
urllist blk_BL_webmail/urls
log block.log
}

dest blk_BL_webphone {
domainlist blk_BL_webphone/domains
urllist blk_BL_webphone/urls
log block.log
}

dest blk_BL_webradio {
domainlist blk_BL_webradio/domains
urllist blk_BL_webradio/urls
log block.log
}

dest blk_BL_webtv {
domainlist blk_BL_webtv/domains
urllist blk_BL_webtv/urls
log block.log
}

Actualizaciones windows

dest Updates {
domainlist Updates/domains
expressionlist Updates/expressions
log block.log
}

Paginas aceptadas

dest Aceptadas {
domainlist Aceptadas/domains
urllist Aceptadas/urls
log block.log
}

Extensiones prohibidas

dest Extensiones {
expressionlist Extensiones/expressions
log block.log
}

Webs prohibidas

dest Prohibidas {
expressionlist Prohibidas/expressions
log block.log
}

rew safesearch {
s@(google../search?.q=.)@
&safe=active@i
s@(google../images.q=.)@
&safe=active@i
s@(google../groups.q=.)@
&safe=active@i
s@(google../news.q=.)@
&safe=active@i
s@(yandex../yandsearch?.text=.)@
&fyandex=1@i
s@(search.yahoo../search.p=.)@
&vm=r&v=1@i
s@(search.live../.q=.)@
&adlt=strict@i
s@(search.msn../.q=.)@
&adlt=strict@i
s@(.bing..*/.q=.)@
&adlt=strict@i
log block.log
}

acl  {

Ips sin restricciones

VIPS  {
pass all
log block.log
}

default  {
pass Updates Aceptadas blk_BL_downloads blk_BL_updatesites !Extensiones !Prohibidas !blk_BL_adv !blk_BL_aggressive !blk_BL_anonvpn !blk_BL_drugs !blk_BL_fortunetelling !blk_BL_hacking !blk_BL_hobby_games-misc !blk_BL_hobby_games-online !blk_BL_porn !blk_BL_shopping !blk_BL_spyware !blk_BL_warez all
redirect http://172.26.0.5:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log
}
}

acriollo

Según veo solo tienes reglas para una red por lo que todo tu trafico que no cae en este target se va a tu acción por default.

Revisa tu política por default para el acceso fuera y dentro de los horarios de restricciones.

Colocar un de y all como porlitca por default y verifica si todo el trafico se va por ahí.

Saludos

MichelR

Muchas gracias acriollo!!

Efectivamente no tenía definido el target para la segunda red. Vamos aprendiendo poco a poco…

Un saludo

acriollo

que bien!

Edita el titulo y agregale  [RESUELTO] para que otras gentes sepan que lo pudiste resolver.

Saludos

huaressa

yo tengo el mismo problema sera que puedes poner en pantalla tu solucion, desde ya gracias

acriollo

El tema aqui huaressa es que este usuario no tenia reglas para la segunda red en el squiguard, por lo tanto se va a a la politica por default. Si la politica por default es denegar , eso hace el sistema.

Tambien hay que verificar que tenga salida por lo menos de DNS la red que quieres que salga.

tianga

@acriollo:

El tema aqui huaressa es que este usuario no tenia reglas para la segunda red en el squiguard, por lo tanto se va a a la politica por default. Si la politica por default es denegar , eso hace el sistema.

Tambien hay que verificar que tenga salida por lo menos de DNS la red que quieres que salga.

Hola acriollo, perdon por mi ignorancia pero en donde se declaran las demas subredes ? Me podras guiar?