Hi all,
I have squid guard and firewall running on my nethserver with windows 2008r2 AD accounts provider. I have tried to block google maps, facebook using the DPI and it still goes through. If block something using firewall does the web proxy then allow it? Does the proxy work hand in hand with the firewall.
How do i block these sites then. I remember with Zentyal when you block HTTP/HTTPs Traffic using firewall meant preventing users from bypassing the proxy. Would this be a similar case here?
Regards,
Shama.
Hi @Harold_Maponde_Shama
If I understand, firewall / dpi blocks the traffic that crosses nethserver. If you use the proxy the traffic does not pass for the firewall. The client contacts the proxy and the proxy contacts the destination
1 Like
Install pFsense incase of a complex firewall, (I´m new in nethserver) Are you referring to transparent proxy? or manually configured in the clients.
As vicenzo said take the firewall blocks everything (except mail and icmp and configured traffic) the proxy “pass” the web traffic and you keep your net under control.
Hi,
if you installed squidguard, you can go to webinterface, web content filter and add a side to block.
Trouble i have is i cannot block mime type files and the groups don’t work. Proxy is setup with authenticated from windows 2008r2 server. So all my clients in the school are using the same filter which is rather frustrating. As i would really want to block certain for students but at the same time give our staff access…
Could you post the content of your ufdbguard.conf please. It is at
/etc/ufdbguard/ufdbguard.conf
logdir "/var/log/ufdbguard"
dbhome "/var/squidGuard/blacklists"
squid-version "3.5"
analyse-uncategorised-urls off
upload-crash-reports off
# slow replies when reloading db to decrease the number of passed urls
url-lookup-delay-during-database-reload on
logblock on
# Always strip domain from squid username
strip-domain-from-username on
redirect-https "blocked.nethserver.org:443"
category "gamble" {
domainlist /var/squidGuard/blacklists/gamble/domains
}
category "chemistry" {
domainlist /var/squidGuard/blacklists/science/chemistry/domains
}
category "files" {
expressionlist /var/squidGuard/blacklists/custom/files/expressions
}
category "pets" {
domainlist /var/squidGuard/blacklists/hobby/pets/domains
}
category "bikes" {
domainlist /var/squidGuard/blacklists/automobile/bikes/domains
}
category "aggressive" {
domainlist /var/squidGuard/blacklists/aggressive/domains
}
category "radiotv" {
domainlist /var/squidGuard/blacklists/radiotv/domains
}
category "violence" {
domainlist /var/squidGuard/blacklists/violence/domains
}
category "cars" {
}
category "cars" {
domainlist /var/squidGuard/blacklists/automobile/cars/domains
}
category "travel" {
domainlist /var/squidGuard/blacklists/recreation/travel/domains
}
category "martialarts" {
domainlist /var/squidGuard/blacklists/recreation/martialarts/domains
}
category "webradio" {
domainlist /var/squidGuard/blacklists/webradio/domains
}
category "wellness" {
domainlist /var/squidGuard/blacklists/recreation/wellness/domains
}
category "movies" {
domainlist /var/squidGuard/blacklists/movies/domains
}
category "politics" {
domainlist /var/squidGuard/blacklists/politics/domains
}
category "military" {
domainlist /var/squidGuard/blacklists/military/domains
}
category "ringtones" {
domainlist /var/squidGuard/blacklists/ringtones/domains
}
category "dynamic" {
domainlist /var/squidGuard/blacklists/dynamic/domains
}
category "astronomy" {
domainlist /var/squidGuard/blacklists/science/astronomy/domains
}
category "redirector" {
domainlist /var/squidGuard/blacklists/redirector/domains
}
category "dating" {
domainlist /var/squidGuard/blacklists/dating/domains
}
category "alcohol" {
domainlist /var/squidGuard/blacklists/alcohol/domains
}
category "gardening" {
domainlist /var/squidGuard/blacklists/hobby/gardening/domains
}
category "trading" {
domainlist /var/squidGuard/blacklists/finance/trading/domains
}
category "hacking" {
domainlist /var/squidGuard/blacklists/hacking/domains
}
category "adv" {
domainlist /var/squidGuard/blacklists/adv/domains
}
category "updatesites" {
domainlist /var/squidGuard/blacklists/updatesites/domains
}
domainlist /var/squidGuard/blacklists/updatesites/domains
}
category "tracker" {
domainlist /var/squidGuard/blacklists/tracker/domains
}
category "humor" {
domainlist /var/squidGuard/blacklists/recreation/humor/domains
}
category "shopping" {
domainlist /var/squidGuard/blacklists/shopping/domains
}
category "costtraps" {
domainlist /var/squidGuard/blacklists/costtraps/domains
}
category "forum" {
domainlist /var/squidGuard/blacklists/forum/domains
}
category "weapons" {
domainlist /var/squidGuard/blacklists/weapons/domains
}
category "sports" {
domainlist /var/squidGuard/blacklists/recreation/sports/domains
}
category "education" {
domainlist /var/squidGuard/blacklists/sex/education/domains
}
category "webmail" {
domainlist /var/squidGuard/blacklists/webmail/domains
}
category "moneylending" {
domainlist /var/squidGuard/blacklists/finance/moneylending/domains
}
category "cooking" {
domainlist /var/squidGuard/blacklists/hobby/cooking/domains
}
category "hospitals" {
domainlist /var/squidGuard/blacklists/hospitals/domains
}
category "searchengines" {
domainlist /var/squidGuard/blacklists/searchengines/domains
}
category "schools" {
domainlist /var/squidGuard/blacklists/education/schools/domains
}
category "downloads-1" {
domainlist /var/squidGuard/blacklists/custom/downloads-1/domains
}
category "audio-video" {
domainlist /var/squidGuard/blacklists/custom/audio-video/domains
}
category "remotecontrol" {
domainlist /var/squidGuard/blacklists/remotecontrol/domains
}
category "realestate" {
domainlist /var/squidGuard/blacklists/finance/realestate/domains
}
category "spyware" {
domainlist /var/squidGuard/blacklists/spyware/domains
category "spyware" {
domainlist /var/squidGuard/blacklists/spyware/domains
}
category "drugs" {
domainlist /var/squidGuard/blacklists/drugs/domains
}
category "music" {
domainlist /var/squidGuard/blacklists/music/domains
}
category "government" {
domainlist /var/squidGuard/blacklists/government/domains
}
category "downloads" {
domainlist /var/squidGuard/blacklists/downloads/domains
}
category "models" {
domainlist /var/squidGuard/blacklists/models/domains
}
category "urlshortener" {
domainlist /var/squidGuard/blacklists/urlshortener/domains
}
category "builtin" {
domainlist /var/squidGuard/blacklists/custom/builtin/domains
expressionlist /var/squidGuard/blacklists/custom/builtin/expressions
}
category "imagehosting" {
domainlist /var/squidGuard/blacklists/imagehosting/domains
}
category "webphone" {
domainlist /var/squidGuard/blacklists/webphone/domains
}
category "insurance" {
domainlist /var/squidGuard/blacklists/finance/insurance/domains
}
category "socialnetworks" {
domainlist /var/squidGuard/blacklists/custom/socialnetworks/domains
}
category "planes" {
domainlist /var/squidGuard/blacklists/automobile/planes/domains
}
category "games-online" {
domainlist /var/squidGuard/blacklists/hobby/games-online/domains
}
category "warez" {
domainlist /var/squidGuard/blacklists/warez/domains
}
category "other" {
domainlist /var/squidGuard/blacklists/finance/other/domains
}
category "nh_blacklist" {
domainlist /var/squidGuard/blacklists/custom/blacklist/domains
}
category "lingerie" {
domainlist /var/squidGuard/blacklists/sex/lingerie/domains
}
category "homestyle" {
domainlist /var/squidGuard/blacklists/homestyle/domains
domainlist /var/squidGuard/blacklists/homestyle/domains
}
category "games-misc" {
domainlist /var/squidGuard/blacklists/hobby/games-misc/domains
}
category "podcasts" {
domainlist /var/squidGuard/blacklists/podcasts/domains
}
category "library" {
domainlist /var/squidGuard/blacklists/library/domains
}
category "jobsearch" {
domainlist /var/squidGuard/blacklists/jobsearch/domains
}
category "anonvpn" {
domainlist /var/squidGuard/blacklists/anonvpn/domains
}
category "socialnet" {
domainlist /var/squidGuard/blacklists/socialnet/domains
}
category "porn" {
domainlist /var/squidGuard/blacklists/porn/domains
}
category "webtv" {
domainlist /var/squidGuard/blacklists/webtv/domains
}
category "religion" {
domainlist /var/squidGuard/blacklists/religion/domains
}
category "fortunetelling" {
domainlist /var/squidGuard/blacklists/fortunetelling/domains
}
category "chat" {
domainlist /var/squidGuard/blacklists/chat/domains
}
category "restaurants" {
domainlist /var/squidGuard/blacklists/recreation/restaurants/domains
}
category "nh_whitelist" {
domainlist /var/squidGuard/blacklists/custom/whitelist/domains
}
category "banking" {
domainlist /var/squidGuard/blacklists/finance/banking/domains
}
category "boats" {
domainlist /var/squidGuard/blacklists/automobile/boats/domains
}
category "news" {
domainlist /var/squidGuard/blacklists/news/domains
}
category "isp" {
domainlist /var/squidGuard/blacklists/isp/domains
}
category "security" {
cacerts "/var/ufdbguard/blacklists/security/cacerts"
option enforce-https-with-hostname off
option enforce-https-official-certificate off
option enforce-https-with-hostname off
option enforce-https-official-certificate off
option allow-skype-over-https on
option allow-gtalk-over-https on
option allow-yahoomsg-over-https on
option allow-aim-over-https on
option allow-fb-chat-over-https on
option allow-citrixonline-over-https on
option allow-anydesk-over-https on
option allow-teamviewer-over-https on
option allow-unknown-protocol-over-https on
option https-prohibit-insecure-sslv2 off
option https-prohibit-insecure-sslv3 off
}
src src_all_students {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members all student"
}
src src_dorm {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members dorm"
}
src src_finance {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members finance"
}
src src_heads {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members heads"
}
src src_itprofile {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members it"
}
src src_management {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members management"
}
src src_newitgroup {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members it"
}
src src_office {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members office management"
}
src src_primary_teacher {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members primary teacher"
}
src src_secondary_teacher {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members secondary teacher"
}
src src_teacher_admin {
execuserlist "/usr/libexec/nethserver/ufdbguard-list-group-members teacher administration"
}
time weekdays_students {
weekly mtwhf 08:00-20:30
}
acl {
# Profile: all_students
src_all_students within weekdays_students {
pass !security !nh_blacklist !in-addr !files !builtin !"adv" !"aggressive" !"alcohol" !"anonvpn" !"audio-video" !"cars" !"chat" !"costtraps" !"dating" !"downloads" !"downloads-1" !"dynamic" !"fortunetelling" !"g$
src_all_students within weekdays_students {
pass !security !nh_blacklist !in-addr !files !builtin !"adv" !"aggressive" !"alcohol" !"anonvpn" !"audio-video" !"cars" !"chat" !"costtraps" !"dating" !"downloads" !"downloads-1" !"dynamic" !"fortunetelling" !"g$
}
# Profile: dorm
src_dorm {
pass !security !nh_blacklist !in-addr !files !builtin !"adv" !"audio-video" !"chat" !"costtraps" !"dating" !"downloads" !"downloads-1" !"gamble" !"games-misc" !"games-online" !"hacking" !"lingerie" !"movies" !"m$
}
# Profile: finance
src_finance {
pass !security !nh_blacklist !in-addr !files !builtin !"adv" !"audio-video" !"chat" !"costtraps" !"dating" !"downloads" !"downloads-1" !"gamble" !"games-misc" !"games-online" !"hacking" !"lingerie" !"movies" !"m$
}
# Profile: heads
src_heads {
pass !security nh_whitelist !nh_blacklist !in-addr !builtin !"downloads-1" !"hacking" all
}
# Profile: itprofile
src_itprofile {
pass !security nh_whitelist !builtin all
}
# Profile: management
src_management {
pass !security nh_whitelist !nh_blacklist !in-addr !builtin !"downloads-1" !"hacking" all
}
# Profile: newitgroup
src_newitgroup {
pass !security nh_whitelist !builtin all
}
# Profile: office
src_office {
pass !security !nh_blacklist !in-addr !files !builtin !"adv" !"audio-video" !"chat" !"costtraps" !"dating" !"downloads" !"downloads-1" !"gamble" !"games-misc" !"games-online" !"hacking" !"lingerie" !"movies" !"m$
}
# Profile: primary_teacher
src_primary_teacher {
pass !security !nh_blacklist !in-addr !files !builtin !"adv" !"audio-video" !"chat" !"costtraps" !"dating" !"downloads" !"downloads-1" !"gamble" !"games-misc" !"games-online" !"hacking" !"lingerie" !"movies" !"m$
}
# Profile: secondary_teacher
src_secondary_teacher {
pass !security !nh_blacklist !in-addr !files !builtin !"adv" !"audio-video" !"chat" !"costtraps" !"dating" !"downloads" !"downloads-1" !"gamble" !"games-misc" !"games-online" !"hacking" !"lingerie" !"movies" !"m$
}
# Profile: teacher_admin
src_teacher_admin {
pass !security nh_whitelist !nh_blacklist !in-addr !builtin !"downloads-1" !"hacking" all
}
default {
pass !security !nh_blacklist !in-addr !files !builtin !"adv" !"aggressive" !"alcohol" !"anonvpn" !"audio-video" !"cars" !"chat" !"costtraps" !"dating" !"downloads" !"downloads-1" !"dynamic" !"fortunetelling" !"g$
redirect http://192.168.2.202/cgi-bin/nethserver-block.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetgroup=%t&url=%u
}
}
I think your config is ok.
Does the binding works, do you see your users and groups at Nethserver webinterface?
I see all users and groups very well. Binds ok. But whenever you specify a group to block sites it does not work. But tends to use the default filter profile
Sorry for my false evidence, your config has an error:
First category spyware didn’t have a closed bracket, so all following brackets didn’t work in the right way.
It was obviously omitted during copying., But these categories are specified from the nethserver web gui. Hows that possible?
Ok, the real config has the bracket?
Do you mean that spyware is there twotimes?
The real config has bracket. I counter checked and the spyware appears only once thank you. So it was obviously a copy issue. Would you know why the proxy does not take groups from remote account provider windows server 2008r2 Active Directory.
Thanks a lot.
what for example is at the dorm list? Are your users listed there?
[root@AMANOSRV03 ~]# /usr/libexec/nethserver/ufdbguard-list-group-members dorm
svenm
wilsonk
jackieh
dormitory
rebeccak
volunteer1
ruthk
claram
I can see the users not a problem
Ok, can you post the squidGuard.log please.
how do i get there? Sorry i quite new to this
The file is at
/var/log/squidGuard/squidGuard.log
I have noticed something, some groups for example finance don’t have members showing and some do. the only working groups are my IT and Management. Seeing that dorm has users might actually work as well…