Another squidguard website


Home Documentation Download Blacklists Useful stuff
Installation Basic Configuration Extended Configuration Known Issues  

Extended Configuration of SquidGuard

There are several more options to configure SquidGuard according to your needs.

Not allowing IP adresses Times
Rules based on source IP adresses Logging blocked access tries


  • Not allowing IP adresses

    To make sure that people don't bypass the URL filter by simply using the IP addresses instead of the fully qualified domain names, you can add the   !in-addr   following to your acl:

    Disallowing access to IP addresses
     acl {
            default {
                    pass !in-addr all
                    redirect http://localhost/block.html
            }
     }
    


  • Blocking based on times

    There are two ways to define times and dates where access to websites are allowed or disallowed. The  weekly  directive is used for reoccuring access time, f.e. allowing web access to blocked sites after work.
    Using the  date  directive you can additionally define special days where access may be granted. Wildcards can be used.

    Defining access times
    time afterwork {
      weekly   * 17:00-24:00            # After work
      weekly   fridays 16:00-17:00      # On friday we close earlier
      weekly   saturdays sundays        # Weekend
      date   *.01.01                    # New Year's Day
      date   *.12.24 12:00-24:00        # Christmas Eve
      date   2006.04.14-2006.04.17      # Easter 2006
      date   2006.05.01                 # Maifeiertag
    }
    


    To apply the defined times you can use the qualifiers  within  and  outside , respectively. Now your acl looks like that:

    acl {
    	all within afterwork {
    		pass all
    	}
    	else {
    		pass	!adv !porn !warez all
    	}
    	default {
           		pass	none
           		redirect http://localhost/block.html
            	}
    }
    

    This means that for everyone free access to web sites is possible during the times defines in afterwork. Outsite these times people cannot access whatever is defined in adv, porn and warez.

  • Rules based on source IP adresses

    If you have policies in place granting some people access to more sites than others you have different options how to implement this policy. One way is to define source IP acls. This can only work if your user groups are well separated within your network.
    Assuming that this is the case you can now define the source IP ranges in your squidGuard.conf the following way:

    Defining source IP addresses
    src admins {
    	ip	192.168.2.0-192.168.2.255
    	ip	172.16.12.0/255.255.255.0
    	ip	10.5.3.1/28
    }
    

    You can secify IP addresses directly as well as defining IP ranges using a from-to notation, defining the netmask or use the netmask prefix abbreviation.
    Annotation: If you have many network definitions for a user group you can put that info into a separate file and just tell your squidGuard.conf about the location of the file. In this case you write in your squidGuard.conf:

    src admins {
            iplist      adminlist
    }
    

    SquidGuard will look for a file called adminlist located wherever you pointed your dbhome directive to. Alternatively you can specify an absolute path with your filename. The file itself holds the information in the following style:

    192.168.2.0-192.168.2.255
    172.16.12.0/255.255.255.0
    10.5.3.1/28
    


  • Logging blocked access tries

    It may be of interest who is accessing blocked sites. To track that down you can add a log directive to your src or dest definitions in your squidGuard.conf. If only a file name is given, the file is search in the directory specified in the logdir directive. Alternatively you can specify an absolute path with your logfilename.

    Logging blocked access tries
    dest porn {
    	domainlist porn/domains
    	urllist porn/urls
    	log pornaccesses
    }
    



    Mirko Lorenz - mirko at shalla.de
    26.03.2006