Web Content Filter with more times for a host(group) fails


(Jott-Emm) #1

Hello community!
I have the following problem:
For web content filtering I need 3 groups with at least 10 clients

  • group adult with full web access
  • group youth with restricted web access at 4 times
  • group child with restricted web access at 3 other times

My actual configuration is:
Firewall objects -> Hostgroup

  • adult-fo
  • youth-fo
  • child-fo
    Web content filter -> Times
  • time-1 mo, tu, we, th, fr, sa, su 14:00 - 16:00
  • time-2 mo, tu, we, th, fr, sa, su 16:00 - 18:00
  • time-3 mo, tu, we, th, su 20:00 - 22:00
  • time-4 sa, su 08:00 - 12:00
  • time 5 fr, sa 20:00 - 23:30
    Web-content filter -> Filters
  • adult-fi
  • youth-fi
  • chuld-fi
  • default
    Web content filter -> profile
  • youth-1: host group youth-fu, filter youth-fi, time time-2
  • youth-2: host group youth-fu, filter youth-fi, time time-3
  • youth-3: host group youth-fu, filter youth-fi, time time-4
  • youth-4: host group youth-fu, filter youth-fi, time time-5
  • child-1: host-group child-fu, filter child-fi, time time-1
  • child-2: host-group child-fu, filter child-fi, time time-2
  • child-3: host-group child-fu, filter child-fi, time time-4

My problem: the group youth-1 only gets access to the first profile, the other profiles will be ignored (default profile will be used).

If I would resolve the problem manually, I would get the following change in SquidGuard.conf
first step:
remove the entries time-1 … time-5 ant input the following lines:

time-youth {
weekly mtwhfas 16:00-18:00
weekly mtwhs 20:00-22:00
weekly as 08:00-12:00
weekly fa 20:00-23:30
}

time-child {
weekly mtwhfas 14:00-18:00
weekly as 08:00-12:00
}

second step:
modify acl entries to match with the new time.

unfortunately nethserver overrides this change periodically.
How can be resolved this problem?


(Filippo Carletti) #2

Using your time-youth definition also produces a squidguard.conf that is easier to read.
We’d need a more flexible timeframe editor.

NethServer usually overrides changes to templated config file every time you make a change to the configuration. You could fix changes using templates-custom:
http://docs.nethserver.org/projects/nethserver-devel/en/latest/templates.html

I’d like to open an issue about changing timeframe, so we could have complex configs without templates-custom.

P.S. Ask here if need help building the template.


(Jott-Emm) #3

Hello @filippo_carletti
Thank you for your answer. Working with custom templates is an alternative which I will try. I would appreciate it if there will be a complexer timeframe editor. If I find a way to build a template I will put it here.
best regards
Jott-Emm


(Jott-Emm) #4

Thank you for the tipp with the custom templates. I try to explain, what I did, but english is not my native language (I am German), so I hope everybody understands it.

That’s the workaround I needed. (First I had to learn a little perl … :slight_smile: )
First I copied the squidguard template scripts “40times” and “99acl20profiles” to template-custom.
than I did the following changes:

40times:

{
    use esmith::ConfigDB;
    my $db = esmith::ConfigDB->open_ro('contentfilter');
    foreach ($db->get_all_by_prop(type => 'time')) {
# inserted next line to get the name of the timeline
        my $name = $_->key;
        my $days = $_->prop('Days') || '';
        my $start = $_->prop('StartTime') || '*';
        my $end = $_->prop('EndTime') || '*';
        $days =~ s/,//g;
# now the name will be checked if it starts with child or youth
# the first three lines after if are for other entries.
        if ($name !~ /-/) {
            $OUT .= "time ".$_->key." {\n";
            $OUT .= "    weekly $days $start-$end\n";
            $OUT .= "}\n";
        } else {
# in time-editor, the timelines have to be named as child-xx and youth-xxx
# we need arrays because it could be that the lines are not in order. 
            my ($type, $key) = split(/-/,$name);
            if ($type eq 'child') {
                push (@child, " weekly $days $start-$end");
            } elsif ($type eq 'youth') {
                push (@youth, " weekly $days $start-$end");
            } else {
# this lines needed to repeat for correct working ...
                $OUT .= "time ".$_->key." {\n";
                $OUT .= "    weekly $days $start-$end\n";
                $OUT .= "}\n";
            }
        }
    }
# output of the arrays to build the special time entries.
    $OUT .= "time child {\n";
    foreach (@child) {
        $OUT .= "$_\n";
    }
    $OUT .= "}\n";

    $OUT .= "time youth {\n";
    foreach (@youth) {
        $OUT .= "$_\n";
    }
    $OUT .= "}\n";
}

In the next step, the 99acl20profiles was modified.
After line 10 $time =~ s/time;//g; I inserted the following lines:

# inserted by Jott-Emm
# check whether the time is child-x or youth-x
            if ($time =~ /-/) {
                my ($type,$key) = split(/-/,$time);
# rename child-x to child or youth-x to youth
                if ($type eq 'child') {
                    $time = "child";
                } elsif ($type eq 'youth') {
                    $time = "youth";
                }
            }
# End of insert

(–> old line 11) $time = “within $time”;
Now in time-editor I can create times called child-1 child-2 … and youth-1 youth-2 … This times will be merged to one time-section called “child” and “youth”. All other times remain the same as before.
In profile editor it only needs one profile for these time-sections with one time (child-1). All other entries remain the same as before.

In spuidguard.conf the template-script creates sections time called child and youth with more than one entry “weekly” and in section acl are the profiles “within child” (or youth). All other entries remain the same as before. And the content-filter now does exactly that, what I want.

Because I am an absolute newbe in perl, my changes are very simple. In the “40times” three lines are double to work correct. Has someone a solution to write this another way?

Jott-Emm