Quick start squidGuard package

Common access

HowTo begin.

HowTo use simple URL filter.

HowTo configure common access to sites.

‘General settings’ page:

Enable squidGuard.

Download blacklist and wait some time for rebuild blacklist db (~10-30 min). Blacklist URL can be  http or ftp or local pfSense path to blacklist archive (example: ‘http://www.shallalist.de/Downloads/shallalist.tar.gz’ or  ‘/tmp/blacklist.tar.gz’).

‘Default’ page:

Select ‘deny’ or ‘allow’ for enabling/disabling access to you sites. If leaving ‘---‘, then access to this (and other all) sites will be by ‘Default access’ rule settings.

Select ‘deny’ or ‘allow’ in ‘Default access’ rule.

Define redirection options.

Goto ‘General settings’ page and press ‘Apply’ button for restart squidGuard with new options.

This action must be done every time you want to apply configuration changes.

Custom Destinations

HowTo use custom destinations.

Destinations lets you create custom lists of URL and domains to control access.

Goto ‘Destinations’ page:

Add new item.

Enter unique name.

Enter domain (example: ‘example.com news.example.com’).

Enter expressions.

Enter URL’s (example: ‘examle.com/main.php newwws.net/list’).

Select edirect mode and enter redirect option.

Save.

Then you can use custom destination items in destination rules (looking ‘HowTo configure common access to sites’).

Whitelist

HowTo exclude sites from blacklist

HowTo use whitelist

If you need exclude some sites from blacklist or provide access to the site at any time, you can use ‘white list’ mechanism.

Create destination item with special sites(domains) list (see ‘HowTo use custom destinations’).

In destination rules from Default or ACL select ‘white’ for you destination item.

You destination item will allowed before any other rule items.

ACL

HowTo configure ACL

ACL lets you set filter rules to the selected clients.

Add new ACL item.

Enter unique name.

Enter source (ip’s, domain’s, username’s).

Set Destination rules (left column, right column now not used).

Set redirect mode and options.

Save.

Times

HowTo use times with my ACL.

HowTo use different filter rules at different times of day.

With use times you can define different filter rules for specified times (used with ACL only).

Add new time item.

Enter unique name.

Enter time ranges within which will act ‘Destination rules’.

Save.

Goto ACL items page.

Select you time item. Destination rules (left column) will used with you time-item settings.

For define destination rules in overtime, you must set ‘Destination rules in overtime’ (right column).

Transparent proxy

HowTo squid transparent mode

In transparent mode squid has some features in the work. All requests received by proxy come from local ip addresses, and the squid can not determine the user through ip address. Accordingly squidGuard receive for processing requests only from local addresses pfSense. Therefore with transparent proxy squidGuard can use only Common access (‘Default’ page). It also can try to use the ACL by name users with respective authorization proxy settings. But this regime has not yet been tested.

Options and comments

General settings page

This page contains general settings and Blacklist options.

Enable checkbox – on/off squidGuard package.

Apply button – “main” button for restart package with new settings.

Blacklist checkbox – on/off blacklist (preloaded db URL’s for blocking).

Blacklist proxy – if need external proxy for uploading blacklist archive, set this option as ipaddress:port login:pass

Blacklist URL – URL (http or ftp) or local pfSense path to blacklist archive (example: ‘http://www.shallalist.de/Downloads/shallalist.tar.gz’ or  ‘/tmp/blacklist.tar.gz’).

Upload URL button – start uploading blacklist archive and rebuilding DB, can take some time (10-25 min).

Restore last button – restore last uploaded and rebuilded blacklist DB. Usable for reinstalled squidGuard (very quick procedure).

Notes:

Apply button need click whenever you want to apply the modifications made;

Blacklist can be downloaded from internal archive ‘/tmp/sg_blacklists.tar’, where stored last downloaded blacklist file.

Default page

This page contains Default(common) ACL(access list) - Destinations ruleset for all users (clients), who not have other defined ACL’s (access list).

Each rule item (exclude last) can be set as:

‘---‘ – rule item not used for this ACL,  

‘allow’ – access allowed, exclude filtered by ‘deny’ rules,

‘white’ – whitelist, access have hi priority (before the ‘deny’ rules too); used if need unlock access to url, blocked in ‘deny’ rules.

‘deny’ – access blocked for this item.

Last (default) rule can be only ‘allow’ or ‘deny’, and define behavior for all requests, what not processed by rules before him.

Access Control List (ACL)

For extended possibilities you can manage selected clients via ACL rules

Notes:

ACL must have unique name.

You can disable and enable this rule with Disable option

ACL based on first-Order position. If source IP you clients found first ACL in list – his will processed with rule.

Error example:

  0-order A_rule for Source 10.0.0.0/24

  1-order B_rile for Source 10.0.0.15. In this situation

In this situation B_rule never applying for 10.0.0.15 source, becose A_rule already worked

Right example:

0-order B_rule for Source 10.0.0.15

1-order A_rile for Source 10.0.0.0/24

Destinations

Destinations contains entries, where you clients must or don’t must ‘going’.

Notes:

Destination page entry contains unique name, domains list, urls list, expressions and Redirect.

Domains and URLs contains ip or names, what will managed this entry (will be ‘pass’ or ‘deny’).

Expressions option contains masks with regular expressions. This powerful option need learning ‘Regular expression formats’ (Find manual’s in Internet)

Simplest use:

‘Ads|porns|baners’ – will use for ‘porn.com’, ‘va.com/ads’, ‘example.com/baners’, but not for ‘example.com/banners’, ‘example.com/baner’.

For last situation can use ‘Ads|porns|ban{1,2}ers{0,1}’ mask. ({1,2} mean what symbol’s ‘n’ must be 1 or 2)

Redirect options  used only for this entry. Redirect used if entry will deny in ACL. If this field empty, then will used Redirect option from ACL.

Howto:

Enter unique name;

Enter that or  domains, expressions, urls (one of or all together), one from this fields must contain data;

Define ‘Redirect’ option if you need this;

Expressions 

HowTo filter extensions with expressions

You must enter in ‘Expressions’ template as

(token1|token2|token3|…).*\.(ext1|ext2|ext3|…)

Example1:

(download|downloads|file|files|image|picture|flash).*\.(exe|dll|wav|gif|zip|tar)

Example2:

(.*\.(zip|rar|cab|mp3|avi|mpg|swf|exe|mpeg|mp.|mpv|mp3))|(\/download.|\/mp3.*)

But you can’t enter com, gov or any other root domains – another this blocked any http://www.*.com …

HowTo filter spylogs with expressions

Example:

counting|counter|spylog|spylogs

Note:

Tokens ‘spylog’ and ‘spylogs’ can be replaced with one string ‘spylogs{0,1}’. The {0, 1} mean what lst ‘s’ symbol must present 0 or 1 times.

Times page

Time type can be as date or weekly. In first situation ‘Days’ field disabled and ‘Date or Range’ field enabled. And in second  variant all will on the contrary.

Date can be defined as single date or date range. Format yyyy.mm.dd or yyyy.mm.dd-yyyy.mm.dd, also possible use template as * ( *.12.* - mean 12 month, any year, any date)

Time must be defined only as range hh:mm-hh:mm (08:00-18:00)

HowTo define time with dinner time:

Example with weekly for 08:00-18:00 worktime and 12:00-13:00 dinner:

weekly mon –date disabled— 08:00-12:00

weekly mon –date disabled— 13:00-18:00

weekly tue   –date disabled— 08:00-12:00

weekly tue   –date disabled— 13:00-18:00

Rewrites

Page contains entries for specific replacement destination urls. For example this can be used for file-extensions

After all configurations you must press Apply button an main page, for generate config and restarting squidGuard.