Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking All websites except 2 websites for some users

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stat_jack
      last edited by

      Hello Everyone
      How is it going?
      I'm trying to use SquidGuard to block all websites for some of the company pcs except mail.yahoo.com and gmail.com
      but I don't want to block everyone just them
      can please someone give me the detailed instructions on how i can do that?
      Thanks

      1 Reply Last reply Reply Quote 0
      • M
        mer
        last edited by

        I can't give you detailed instructions, but the computers you want to block, are they at fixed IP addresses or do they always get the same addresses from DHCP?

        1 Reply Last reply Reply Quote 0
        • S
          Stat_jack
          last edited by

          Yea They Have Fixed Ips

          1 Reply Last reply Reply Quote 0
          • M
            mer
            last edited by

            A quick google for squidguard source based access

            http://www.squidguard.org/Doc/extended.html#sourceIP

            I have no idea how you you add that to your configuration

            1 Reply Last reply Reply Quote 0
            • C
              chris4916
              last edited by

              I would personally not rely on IP, MAC or whatever like this if goal is to block some users and allow some others.
              As trigger is "user", this means account thus proxy authentication in order to distinguish between users then apply profiling rules, either deny or allow.

              Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

              1 Reply Last reply Reply Quote 0
              • S
                Stat_jack
                last edited by

                Detailed iinstructions please if possible

                1 Reply Last reply Reply Quote 0
                • C
                  chris4916
                  last edited by

                  I won't describe how to implement this using pfSense GUI as I don't use Squid as embedded pfSense package but I can at least explain what to do in Squid ;-)

                  1 - if you have very few impacted users, you could achieve this directly in Squid conf but I won't promote such approach which means that you will have to change your Squid conf each and every time you have some changes here. Better to rely, if possible on groups, meaning external group, e.g. in from LDAP.

                  2 - create the group of users with limited access

                  acl restricted_group external your_AD_group
                  

                  3 - as  mail.yahoo.com and gmail.com will be authorized to all, you can create ACL for each.
                  e.g.

                  ACL yahoo dest mail.yahoo.com
                  ACL gmail destdomain gmaill.com
                  

                  notice that if target was host for both, you could manage only one ACL, e.g. ACL mail dest mail.yahoo.com  sometihng.gmail.com

                  3 - then authorize these for destinations for all

                  http_access allow yahoo
                  http_access allow gmail
                  http_access deny restricted_group
                  http_access allow all (or better if you have it  http_access allow authorized_group)
                  http_access deny all
                  

                  group membership obviously requires authentication therefore explicit proxy.
                  You will find plenty of howto and tutorials about Wiki ACL surfing internet  ;)

                  Does it make sense?

                  Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                  1 Reply Last reply Reply Quote 0
                  • C
                    chris4916
                    last edited by

                    This is an example directly in Squid.
                    Almost similar behaviour can be achieved using Squidguard that is also able to handle ACL, users and groups. It should perhaps be feasible using pfSense GUI, this I don't know as I'm not Squid user on pfSense  8)

                    logic is always pretty much the same:

                    • define white list covering what is allowed to all
                    • allow white list access
                    • deny group of restricted users
                    • authorize all others

                    Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.