Re: Not blocking

[Ryan Nix]

intra-net

The server, the clients, etc are behind a firewall on a 172 network.

[EMAIL PROTECTED] wrote:

So you pass all your outgoing squid traffic to a router that is connected 
to a DMZ or internet?





Ryan Nix <[EMAIL PROTECTED]>
03/03/2004 04:19 PM
       To:     [EMAIL PROTECTED]
       cc:     [EMAIL PROTECTED], Rick Matthews 
<[EMAIL PROTECTED]>, [EMAIL PROTECTED]
       Subject:        Re: Not blocking

This proxy server is actually on an internal network so that shouldn't 
be a problem, I don't believe.

Regards, should I setup an acl that allows only our internal 172 IPs 
access?

[EMAIL PROTECTED] wrote:

 

Yes.  Furthermore, at the VERY bottom of your squid.conf you need the 
   

deny 
 

all back in there.  Otherwise, you'd be setting up an open proxy server 
that allows users on the internet to proxy their web traffic through you. 
   

 

Very big no-no.

Regards,

Tim Rainier



Ryan Nix <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/03/2004 03:05 PM
      To:     Rick Matthews <[EMAIL PROTECTED]>
      cc:     [EMAIL PROTECTED]
      Subject:        Re: Not blocking
I took out all squid.conf acls thinking that squidguard.conf would 
handle them.

This is all I have in my squid.conf:

coredump_dir /var/spool/squid
cache_mem 100 MB
redirect_program /usr/sbin/squidGuard -c /etc/squidGuard.conf

I was hoping that squidguard.conf would all unfettered access to all 
sites except those found in the s.g. database.

Do I absolutely have to have an IP range as an acl?

Rick Matthews wrote:



   

Ryan Nix wrote:



     

Can anyone give me a good example of what is in their squid.conf 
file? 



       

What problems are you having with Squid?  You should have squid 
working properly before you add the redirect_program statement; you 
do not want to debug two unfamiliar, interconnected programs 
simultaneously.

What are your concerns?
-----------------------
Q. Is squid starting OK?  Is squid starting squidGuard?
A. After running 'squid -k reconfigure', check squid's cache.log. You
should not see any errors. You should see squid starting squidGuard
processes, and squid ready to serve requests.
Q. Is squidGuard running?
A. Run 'ps ax | grep squidGuard'.  The number of squidGuard processes
shown should equal the value of redirect_children in squid.conf.
Q. Is squid sending transactions to squidGuard?
A. Edit squid.conf. Find the "debug_options" statement. It probably
reads "debug_options ALL,1".  Modify that line to read
"debug_options ALL,1 29,1", and run 'squid -k reconfigure'.  Fire up
a browser and visit a few sites, then check squid's cache.log. If 
squid is calling squidGuard you will see statements like these:

redirectStart: 'http://my.yahoo.com/?myHome'
helperDispatch: Request sent to redirector #1, 52 bytes
helperHandleRead: 1 bytes from redirector #1.
helperHandleRead: end of reply found
redirectHandleRead: {}
redirectStart: 'http://some-other-url'
helperDispatch: Request sent to redirector #1, some# bytes
helperHandleRead: 44 bytes from redirector #1.
helperHandleRead: end of reply found
redirectHandleRead: {http://your-redirect-url}
The first 5 lines pertain to a url that was approved by squidGuard.
The second 5 lines show a url that was redirected by squidGuard.
NOTE: After running your test transactions, be sure to edit squid.conf
and return the debug_options statement to its original value (probably
"debug_options ALL,1"), then run 'squid -k reconfigure'.  The 
cache.log file will quickly become very large if you don't.

Let me know if you have other concerns that I did not address.

Rick





     

Again, I want to allow unfettered access to all sites except those 
       

found 
 

       

   

in the squid guard database.

By the way, I ran squidguard -d and the syntax checks out so I should 
       

be 
 

       

   

mostly ready to go! 

Thanks again to everyone for their help!  :)

Rick Matthews wrote:





       

Matthew Trey wrote:





         

Pardon me, you are correct.  I never noticed that in the absence of a
redirect in one ACL, squidguard uses the redirect in the default URL.




           

And in the absence of ANY redirects, squidGuard passes everything.







         

squidGuard cannot "block".  squidGuard can only "redirect".
squidGuard cannot "block".  squidGuard can only "redirect".
squidGuard cannot "block".  squidGuard can only "redirect".




             

no reason to be a jerk, once was enough =)





           

Sorry, sticking keyboard. :)







         

In light of this corrrection a redirect rule is needed or your ACL 
in fact will not work. thanks for pointing that out Rick =)





           

Just trying to help. :)

That's also why I included a sample squidGuard.conf file a few
posts back.  There are several things in there that will help you 
with your squidGuard configuration, testing and debugging.  Even
if you ignore everything else in there, I highly recommend that
you add a log statement to each of your destination groups, i.e.:

dest porn {
domainlist      blacklists/porn/domains
urllist         blacklists/porn/urls
redirect        http://yourserver.com/whatever...
log             blocked.log
}
Rick







         

-----Original Message-----
From: Rick Matthews [mailto:[EMAIL PROTECTED]
Sent: Monday, March 01, 2004 10:23 PM
To: Matthew Trey; [EMAIL PROTECTED]
Subject: RE: Not blocking
Matthew Trey wrote:





           

that is true, once squidguard is up and running with this config it
will simply pass nothing, with no notice that anything was blocked.




             

That statement is incorrect.  Without a redirect statement,
squidGuard will PASS EVERYTHING, NOTHING WILL BE BLOCKED.
squidGuard cannot "block".  squidGuard can only "redirect".
squidGuard cannot "block".  squidGuard can only "redirect".
squidGuard cannot "block".  squidGuard can only "redirect".
The interface between squid and squidGuard is very limited.  Squid
passes the information to squidGuard and waits for an answer from
squidGuard.  squidGuard's response to squid is one of two things:
a blank line (approved), or a new url.  Those are the only two
choices.  Without a redirect statement squidGuard ALWAYS returns
a blank line.






           

Provided we figure out the lack of rule matching,





             

Everything will be approved in the absence of redirect statements.

Rick

P.S. squidGuard cannot "block".  squidGuard can only "redirect".









           

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Matthew 
             

Trey
 

Sent: Monday, March 01, 2004 6:05 PM
To: [EMAIL PROTECTED]
Subject: RE: Not blocking


Rick Matthews wrote:







             

squidGuard won't redirect without a redirect statement.





               

Yup.

that is true, once squidguard is up and running with this config it 

             

will

   

simply
pass nothing, with no notice that anything was blocked.  Provided we




             

figure





           

out the
lack of rule matching, I do suggest adding a redirect rule, directly 
             

 

             

below

   

the pass
rule pointing to either a simple html file or cgi script, or really




             

anything





           

you want.

this will let the user know the content was blocked rather than 

             

getting no

   

info at all.