Squidguard not blocking sites during time restriction
-
hi to all. i am currently trying to setup a time restriction in squidguard to limit the computers access in specific time. for example i want the 192.168.1.10-192.168.1.20 to disable the access of facebook and youtube from 8am-12pm. then after 12:01 to 1:30pm they will be able to access it, and after 1:31pm - 5pm they wont be able to access again facebook and youtube. but when i test this. i can still access the blocked website during the 8:40am. note that i already check the time of pfsense if it is sync correctly to my time zone.
-
And the Squid proxy how is it working ? Transparent or HTTPS/SSL interception because if you run transparent then it will not intercept HTTPS.
-
Your first two screenshots are totally unreadable.
-
Rant on
I can tell you from past attempts, that the time restrictions are problematic and VERY unstable.
1. When you cross a time boundary, the filters do not automatically change. You must setup cron to run "squid -k reconfigure" to tell squid to re-read the config file a minute or so after the time change. This is not documented anywhere and is not automatically setup. One would think that squidguard would get an alarm set or something. There is a log entry that refers to a squid alarm, however, expiration of the alarm does not seem to do anything.
2. Existing transfers or connections (ie, firewall states) do not normally clear, thus users will not see the rules changes. If you set squid to clear states when it reloads, then any transfer occuring when the time change is triggered also gets dropped even though it should not be affected by the rule. If you do not clear the states, then any active transfer continues. In my case, we allow users to stream in audio outside of business hours. But, if a user started the radio stream prior to the time change, then they could stream all day long.
3. On occassion, the entire firewall will crash and corrupt the hard drive during one of these transitions.
4. Finally, and not insignificantly, every single hour (the exact minute depends upon when squidguard started), there is some sort of garbage collection that causes a 100% CPU spike on the squid process for 30-90 seconds. I have noted that the problem is either very small or does not occur if squidguard is not enabled. Further, the size of the cache, RAM allocation, and CPU size does not seem to significantly impact the length of the hourly outage. NO internet traffic of any kind is transferred during this hourly period and it will often cause VPN tunnels to timeout and drop as well.
All of these problems have been present for ALL 2.x versions, including current releases. I find it extremely annoying that I've had difficulty even getting a response, much less any type of resolution on these as I could really use these features, but cannot due to their network impact. Especially item 4, that occurs anytime squidguard is enabled. All I have ever gotten is a few responses asking me to check a couple of items, all of which turned out to be fine.
Rant Off
-
Interesting results on the hourly squid hang can be found here:
https://forum.pfsense.org/index.php?topic=96472
