Configuring the SquidGuard Package

Danger

The add-on packages Squid, SquidGuard and Lightsquid are deprecated in pfSense Plus and pfSense CE software due to a large number of unfixed upstream security vulnerabilities. Netgate STRONGLY recommends that users uninstall these packages. The packages will no longer function in the next major release of pfSense Plus and pfSense CE software.

squidGuard is a URL redirector used to integrate blacklists with the Squid proxy software. There are two big advantages to squidGuard: it is fast and it is free. squidGuard is published under the GNU Public License.

squidGuard can be used to:

  • Limit the web access for some users to a list of accepted/well known web servers and/or URLs only.

  • Block access to some listed or blacklisted web servers and/or URLs for some users.

  • Block access to URLs matching a list of regular expressions or words for some users.

  • Enforce the use of domain names/prohibit the use of IP addresses in URLs.

  • Redirect blocked URLs to an info page.

  • Redirect banners to an empty GIF.

  • Have different access rules based on time of day, day of the week, date etc.

Installing Squid and squidGuard

  1. From the pfSense® webGUI, navigate to System > Packages, Available Packages tab

  2. Install the Squid package if it is not already installed.

  3. Install the squidGuard package

  4. Configure Squid package.

  5. Configure squidGuard package.

Configure the squidGuard Package

Basic configuration

Here describes how to enable and configure squidGuard, and common users access.

  1. Open General settings tab.

    1. Check the Enable box to activate the package.

    2. Set Blacklist options to use blacklist categories. (See above, optional)

    3. Click Save button.

  2. Open Common ACL page.

    1. Click Target Rules List to show defined blacklists and target categories

      1. Define default user access: select Default access [all] as allow or deny.

      2. Define other category actions:

        1. Select , to ignore a category.

        2. Select allow, to allow this category for clients.

        3. Select deny, to deny this category for clients.

        4. Select white, to allow this category without any restrictions. This option is used for exceptions to prohibited categories.

      3. To prohibit clients from using IP addresses in URLs, check Do Not Allow IP Addresses in URL.

      4. Select Redirect mode:

        1. Int error page: Use the built-in error page. A custom message may be entered in the Redirect info box below.

        2. Int blank page: Redirect to a blank page

        3. The other options are various redirects to external error pages, and a URL must be entered in the Redirect info box if they are chosen.

      5. Use safe search engine: Protect customers from unwanted search results. It is supported by Google, Yandex, Yahoo, MSN, Live Search. Make sure that these search engines are available. If this protection should be strictly enforced, disable access to all other search engines.

  3. After settings are complete, return to the General Settings tab and press Apply.

Blacklist

Blacklists are optional, but often useful for allowing access to certain types of sites.

squidGuard comes with a small blacklist basically for testing purposes. They should not be used in production. A better way is to start with one of the blacklist collections recommended by squidGuard.

Downloading blacklists:

  1. Open General Settings tab in squidGuard package GUI, found at Services > Proxy Filter.

  2. Check Blacklist to enable the use of blacklists.

  3. Enter blacklist URL in the field Blacklist URL.

  4. If the firewall is itself behind a proxy, enter the proxy information in Blacklist proxy (this step is not necessary for most people).

  5. Click Save.

  6. Navigate to the Blacklist tab inside of squidGuard.

  7. Click the Download button.

  8. Wait while blacklist will downloaded and prepared to use (10-35 min). Progress will be displayed on that page as the list is downloaded and processed.

How-Tos

Exclude domain/URL from blacklist

In the squidGuard GUI (Services > Proxy Filter):

  1. Open the Target categories page

  2. Click fa-plus to add a new item

  3. Enter a name for the category - myWhitelist for example.

  4. Add domains and/or URLs to the lists as needed. Entries should be separated by a space. The examples on the page show how entries should be formatted.

  5. As with the Common ACL discussed previously, redirect and logging options specific to this category may be set.

  6. Click Save.

  7. Open Common ACL or Groups ACL page (whichever should have an exclusion).

  8. Click Target Rule List to expand the list of categories. The newly created category should show alphabetically in the list, above any blacklist categories. Find the MyWhiteList entry in the list and select whitelist.

  9. Click Save.

  10. Return to the General Settings tab and press Apply.

Block download by Extension

In the squidGuard GUI (Services > Proxy Filter):

  1. Open the Target categories page.

  2. Click fa-plus to add a new item.

  3. Enter a name for the category - myBlockExt for example.

  4. Add Expressions (for example for asf, zip, exe and etc files):

    (.*\/.*\.(asf|wm|wma|wmv|zip|rar|cab|mp3|avi|mpg|swf|exe|mpeg|mp.|mpv|mp3|wm.|vpu))
    
  5. Click Save.

  6. Open Common ACL or Groups ACL page (whichever should have an exclusion).

  7. Click Target Rule List to expand the list of categories. The newly created category should show alphabetically in the list, above any blacklist categories. Find the myBlockExt entry in the list and select deny.

  8. Click Save.

  9. Return to the General Settings tab and press Apply.

Troubleshooting

Netflix

If Netflix will not load while squidGuard is active, it is likely because Netflix requires accessing URLs by IP address. Ensure that ACLs matching clients allowed to reach Netflix also have Do not allow IP-Addresses in URL unchecked.

Service Does Not Start

If the squidGuard service will not start, there are a few possible explanations:

  • On all versions of Squid, if only blacklists have been configured, then at startup some important files/directories may not be set properly.

    • Add at least one Custom Target Category with a site to pass or block and use it along with the blacklist entries to work around the problem.

  • On squid 3.x, the squidGuard service will only start when traffic requires it to run, so it can appear to be stopped even when working properly.

    • Only worry about the service if it appears to not work, don’t count on the service status alone.

Known issues

See also

The pfSense software issue tracker contains a list of known issues with this package.

Package Support

This package is currently supported by Netgate TAC to those with an active support subscription.