On Wed, 2004-03-31 at 23:03, Rick Matthews wrote:
> Mike Rambo wrote:
> >
> > We're trying to prevent students from bypassing our filter by using
> > ip addresses instead of urls. It is quite unpleasant to go through
> > and put in an ip address for every url we want to block. I've found
> > a reference in the docs for using !in-addr in the ACL's to enforce
> > the use of url's instead of ip addresses but it isn't working.
> <snip>
>
> It works here. Let's see what could be wrong.
>
> > Here are the relevant sections of squidGuard.conf (possibly
> > line-wrapped in a nasty manner).
> >
> > dest ipaddress {
> > log local-block
> > expressionlist ipaddress/expressions
> > redirect
> > 302:http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a\
> > &clientname=%n&clientident=%i&srcclass=%s&targetgroup=%t&url=%u
> > }
> >
> > acl {
> > default {
> > pass !local-block local-ok !in-addr !ipaddress !aggressive \
> > !drugs !gambling !hacking !porn !proxy !violence !warez all
> > }
> > }
>
> I can see you're a belt AND suspenders kind of guy! :)
>
> When you use !in-addr you don't need a destination group of ip
> addresses, and you don't need the ip address expressionlist.
>
Not really. The only reason both !in-addr and !ipaddress were there was
to show how I was trying to use them. I had tried !in-addr, had no luck,
removed it, then tried the regex expression route. I just pasted
!in-addr back in the list to show how I had tried to use it. Sorry about
the confusion.
> I don't like using the default acl for my users. I'd much rather
> identify my users and deal with them as a source group(s), and leave
> the default acl for the people I don't know. That always seems to
> work better.
>
I'm not working on a production box. It's just a test bed that only I
use. I don't mind being default in that case ;-). On our production
boxes we have acls pretty much as you've described.
> I also think that it's much better for your users if you do not use
> the 302: in your redirects. The process is much more intuitive for
> them without the 302:.
>
Done.
<snip>
> Try those suggestions and let me know how it goes.
>
> Rick
When I saw your config suggestion I had actually thought I'd seen where
my error was. But I was wrong. It still doesn't work for me. I had at
first thought that the failure was because I had no redirect active in
the acl itself which caused matches for !in-addr to have nowhere to
redirect. I have put the redirects up in the dest blocks because I need
a different redirect for banner ad blocking.
I'll paste the entire .conf file this time instead of only small parts.
dbhome /var/squidGuard
logdir /var/log/squidGuard
dest ads {
log ads
domainlist blacklists/ads/domains
urllist blacklists/ads/urls
redirect http://10.8.16.7/1x1.gif
}
dest audio-video {
log audio-video
domainlist blacklists/audio-video/domains
urllist blacklists/audio-video/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest aggressive {
log aggressive
domainlist blacklists/aggressive/domains
urllist blacklists/aggressive/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest drugs {
log drugs
domainlist blacklists/drugs/domains
urllist blacklists/drugs/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest forums {
log forums
domainlist blacklists/forums/domains
urllist blacklists/forums/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest gambling {
log gambling
domainlist blacklists/gambling/domains
urllist blacklists/gambling/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest hacking {
log hacking
domainlist blacklists/hacking/domains
urllist blacklists/hacking/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest mail {
log mail
domainlist blacklists/mail/domains
urllist blacklists/mail/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest porn {
log porn
domainlist blacklists/porn/domains
urllist blacklists/porn/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest proxy {
log proxy
domainlist blacklists/proxy/domains
urllist blacklists/proxy/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest violence {
log violence
domainlist blacklists/violence/domains
urllist blacklists/violence/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest warez {
log warez
domainlist blacklists/warez/domains
urllist blacklists/warez/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest local-ok {
domainlist blacklists/local-ok/domains
urllist blacklists/local-ok/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest local-block {
log local-block
domainlist blacklists/local-block/domains
urllist blacklists/local-block/urls
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
rewrite search_engines {
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED]
[EMAIL PROTECTED]://images.google.com/[EMAIL PROTECTED]://www.google.com/[EMAIL
PROTECTED]
}
acl {
default {
rewrite search_engines
pass !local-block local-ok !in-addr !aggressive !drugs
!gambling !hacking !porn !proxy !violence !warez all
redirect
http://10.8.16.7/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
}
Thanks.
Mike
