Blocking All websites except 2 websites for some users



  • Hello Everyone
    How is it going?
    I'm trying to use SquidGuard to block all websites for some of the company pcs except mail.yahoo.com and gmail.com
    but I don't want to block everyone just them
    can please someone give me the detailed instructions on how i can do that?
    Thanks



  • I can't give you detailed instructions, but the computers you want to block, are they at fixed IP addresses or do they always get the same addresses from DHCP?



  • Yea They Have Fixed Ips



  • A quick google for squidguard source based access

    http://www.squidguard.org/Doc/extended.html#sourceIP

    I have no idea how you you add that to your configuration



  • I would personally not rely on IP, MAC or whatever like this if goal is to block some users and allow some others.
    As trigger is "user", this means account thus proxy authentication in order to distinguish between users then apply profiling rules, either deny or allow.



  • Detailed iinstructions please if possible



  • I won't describe how to implement this using pfSense GUI as I don't use Squid as embedded pfSense package but I can at least explain what to do in Squid ;-)

    1 - if you have very few impacted users, you could achieve this directly in Squid conf but I won't promote such approach which means that you will have to change your Squid conf each and every time you have some changes here. Better to rely, if possible on groups, meaning external group, e.g. in from LDAP.

    2 - create the group of users with limited access

    acl restricted_group external your_AD_group
    

    3 - as  mail.yahoo.com and gmail.com will be authorized to all, you can create ACL for each.
    e.g.

    ACL yahoo dest mail.yahoo.com
    ACL gmail destdomain gmaill.com
    

    notice that if target was host for both, you could manage only one ACL, e.g. ACL mail dest mail.yahoo.com  sometihng.gmail.com

    3 - then authorize these for destinations for all

    http_access allow yahoo
    http_access allow gmail
    http_access deny restricted_group
    http_access allow all (or better if you have it  http_access allow authorized_group)
    http_access deny all
    

    group membership obviously requires authentication therefore explicit proxy.
    You will find plenty of howto and tutorials about Wiki ACL surfing internet  ;)

    Does it make sense?



  • This is an example directly in Squid.
    Almost similar behaviour can be achieved using Squidguard that is also able to handle ACL, users and groups. It should perhaps be feasible using pfSense GUI, this I don't know as I'm not Squid user on pfSense  8)

    logic is always pretty much the same:

    • define white list covering what is allowed to all
    • allow white list access
    • deny group of restricted users
    • authorize all others

Log in to reply