Differences

This shows you the differences between two versions of the page.

--- pfsense:squid:acls_access_control_lists [2020/03/30 15:45] – peter
+++ pfsense:squid:acls_access_control_lists [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== PFSense - Squid - ACLs (Access Control Lists) ======
-Define who can and who cannot access the proxy.
+See [[Squid:ACLs|Squid ACLs]]
-Access Control Lists (ACL) are lists with rules that are processed sequentially.
-ACLs must be defined before they can be used.
-Some default ACLs, such as **all** and **localhost**, already exist.
-However, the mere definition of an ACL does not mean that it is actually applied.
-This only happens when there is a corresponding **http_access** rule.
-<WRAP important>
-**WARNING:**
-Who can use your proxy server?
-Everyone on your LAN?
-Everyone on the Internet?
-No, you don't want everyone on the Internet to use it.
-Many people have scanners running that will find an open proxy in a hurry, publish it on a list, and before you know it your bandwidth will be soaked up by a thirsty sponge of users intent on questionable or illegal uses.
-So the first thing you do is define the permitted users by setting ACLs (access control lists).
-</WRAP>
 ----
-===== Allowed Subnets =====
+todo
-Add default **192.168.1.0/24**, and any other LAN subnets, such as my IOT subnet of **192.168.70.0/24** and Guest subnet of **172.16.0.0/24**.
-Add any other IP that is allowed to use the proxy, for example, **100.1.2.3**.
 <code>
-acl AllowedHosts src 192.168.1.0/24
+acl manager proto cache_object
-acl AllowedHosts src 192.168.70/0/24
+acl localhost src 127.0.0.1/32 ::1
-acl AllowedHosts src 172.16.0.0/24
+acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
+acl local_respmod src 127.0.0.1/32 type respmod
-acl AllowedHosts src 100.1.2.3
+# ACL Local Network
+#acl localnet src 192.168.1.0/24 # localnet
-#[ black-list and white-list rules will go in here in the next step ]
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
+acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
+acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
+acl localnet src fc00::/7 # RFC 4193 local private network range
+acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
-http_access allow AllowedHosts
+# Only allow cachemgr access from localhost
-http_access deny all
+#http_access allow manager localhost
-</code>
+#http_access deny manager
-The **AllowedHosts** is just a name given to these, but you can call this anything.  This name will be referenced later.
+http_access allow localhost manager
+http_access deny manager
+http_access allow localnet
-----
+http_access allow localhost
-===== Black List Proxy vs Whitelist Proxy =====
-Add additional ACL entries:
-Decide which approach you want to follow:
-  * A **black-listing proxy** blocks offensive web sites.  See black-list examples.
-  * A **white-listing proxy** only allows approved sites.  A white-list has the benefit of blocking virtually everything that is not known to be “good”, but may take longer to configure.  See white-list examples.
-==== Blacklist Proxy Example ====
-Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.
-<code>
-#______[ Black List ]_____________________________________________________
-acl advdom      dstdomain       "/etc/squid/ad.domains"
-acl adv0exp     url_regex -i    "/etc/squid/ad0.exp"
-acl adv1exp     url_regex -i    "/etc/squid/ad1.exp"
-acl baddom      dstdomain       "/etc/squid/bad.domains"
-acl baddom      dstdomain       "/etc/squid/proxy.domains"
-acl badexp      url_regex -i    "/etc/squid/bad.exp"
-acl violentdom  dstdomain       "/etc/ffilter/violent.domains"
-acl hardblock   url_regex -i    "/etc/squid/hardblock.exp"
-acl drugdomains dstdomain       "/etc/ffilter/drug.domains"
-acl gambledom   dstdomain       "/etc/ffilter/gambling.domains"
-acl offensive   dstdomain       "/etc/ffilter/offensive.domains"
-acl offendexp   url_regex -i    "/etc/ffilter/offensive.exp"
-acl deceptive   dstdomain       "/etc/ffilter/deceptive.domains"
-acl illegal     dstdomain       "/etc/ffilter/illegal.domains"
-# If you have children who have their own computers and for whom
-# you want extra protection, then try this idea:
-acl children    src             "/etc/ffilter/kids.IPs"
-acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
-#
-# On week-days the kids need to stop using the Internet at 10pm,
-# but on Friday and Saturday we let them go until midnight:
-#
-acl curfew time SMTWH   22:00-23:59
-acl curfew time SMTWHF  00:00-7:00
-#______[ White List ]_____________________________________________________
-acl safedom     dstdomain       "/etc/ffilter/safe.domains"
-acl safeexp     url_regex -i    "/etc/ffilter/safe.exp"
-acl christdom   dstdomain       "/etc/ffilter/christian.domains"
-acl christexp   url_regex -i    "/etc/ffilter/christian.exp"
-acl schooldom   dstdomain       "/etc/ffilter/school.domains"
-acl employdom   dstdomain       "/etc/ffilter/employ.domains"
-#______[ Rules ]__________________________________________________________
-# 0. 'hardblock' regex and IP matches
-#
-http_access deny hardblock
-# 1. Children's curfew
-#
-http_access allow curfewOK
-http_access deny children curfew
-#http_access deny children gamedom
-# Now block the stage zero regex blocks that are to come before safe regex
-# holes; this is to allow certain parts of a regex to be blocked while the
-# safe.exp match (for example) lets through the rest.  For example, we might
-# have a "safe site" that has ads we want to block.
-#
-http_access deny adv0exp
-http_access deny bad0exp
-http_access deny offendexp
-# Let through safe domains, but not regex
-#
-http_access allow christdom
-http_access allow safedom
-http_access allow schooldom
-http_access allow employdom
-# 3. Block bad domains, but not regex
-#       Thus, the domain files should only contain domains which are TOTALLY bad.
-#   If a domain is only mostly bad, it should go in the regex file instead so
-#   that white-list rules can be applied.
-#       Put another way, any domain in a domain blacklist NEVER gets through, even if
-#   a white-list contains a regex pattern match.
-#
-http_access deny baddom
-http_access deny violentIPs
-http_access deny violentdom
-http_access deny drugdomains
-http_access deny gambledom
-http_access deny deceptive
-http_access deny offensive
-http_access deny illegal
-http_access deny p2p
-# Ads and spam are last because I'd first want to tell people if the domain
-#   were bad for some other reason, and only as a last resort block it merely
-#   because it was spam.
-#
-http_access deny advdom
-http_access deny spamdom
-# 4. Let through safe regex
-#
-http_access allow christexp
-http_access allow safeexp
-# 5. Block bad regex
-#
-http_access deny badexp
-http_access deny violentexp
-http_access deny drugexp
-http_access deny gambleexp
-http_access deny deceptexp
-# Ads and spam expressions are the last to be blocked.
-#
-http_access deny adv1exp
-# 6. Everything else is permitted for those hosts that are allowed.
-#
-http_access allow AllowedHosts
 http_access deny all
-</code>
-----
+icap_access allow local_respmod
+icap_access allow localnet
-==== Whitelist Proxy Example ====
+icap_access deny  all
-Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.
-<code>
-#______[ Black List ]_____________________________________________________
-acl advIPs      dst             "/etc/squid/ad.IPs"
-acl advdom      dstdomain       "/etc/squid/ad.domains"
-acl adv0exp     url_regex -i    "/etc/squid/ad0.exp"
-acl baddom      dstdomain       "/etc/squid/bad.domains"
-acl baddom      dstdomain       "/etc/squid/proxy.domains"
-acl bad0exp     url_regex -i    "/etc/squid/bad.exp"
-acl violentdom  dstdomain       "/etc/ffilter/violent.domains"
-acl hardblock   url_regex -i    "/etc/squid/hardblock.exp"
-acl drugdomains dstdomain       "/etc/ffilter/drug.domains"
-acl gambledom   dstdomain       "/etc/ffilter/gambling.domains"
-acl offensive   dstdomain       "/etc/ffilter/offensive.domains"
-acl deceptive   dstdomain       "/etc/ffilter/deceptive.domains"
-acl illegal     dstdomain       "/etc/ffilter/illegal.domains"
-# If you have children who have their own computers and for whom
-# you want extra protection, then try this idea:
-acl children    src             "/etc/ffilter/kids.IPs"
-acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
-#
-# On week-days the kids need to stop using the Internet at 10pm,
-# but on Friday and Saturday we let them go until midnight:
-#
-acl curfew time SMTWH   22:00-23:59
-acl curfew time SMTWHF  00:00-7:00
-#______[ White List ]_____________________________________________________
-acl safedom     dstdomain       "/etc/ffilter/safe.domains"
-acl safeexp     url_regex -i    "/etc/ffilter/safe.exp"
-acl christdom   dstdomain       "/etc/ffilter/christian.domains"
-acl christexp   url_regex -i    "/etc/ffilter/christian.exp"
-acl schooldom   dstdomain       "/etc/ffilter/school.domains"
-acl employdom   dstdomain       "/etc/ffilter/employ.domains"
-#______[ Rules ]__________________________________________________________
-# 0. 'hardblock' regex and IP matches
-#
-http_access deny hardblock
-# 1. Children's curfew
-#
-http_access allow curfewOK
-http_access deny children curfew
-#http_access deny children gamedom
-# Now block the stage zero regex blocks that are to come before safe regex
-# holes; this is to allow certain parts of a regex to be blocked while the
-# safe.exp match (for example) lets through the rest.  For example, we might
-# have a "safe site" that has ads we want to block.
-#
-http_access deny adv0exp
-http_access deny bad0exp
-# Let through safe domains, but not expressions yet
-#
-http_access allow christdom
-http_access allow safedom
-http_access allow schooldom
-http_access allow employdom
-# 3. Block bad domains (domains which have no desirable content).
-#
-http_access deny baddom
-http_access deny violentdom
-http_access deny drugdomains
-http_access deny gambledom
-http_access deny deceptive
-http_access deny offensive
-http_access deny illegal
-http_access deny p2p
-# Ads and spam are last because I'd first want to tell people if the domain
-#   were bad for some other reason, and only as a last resort block it merely
-#   because it was spam.
-#
-http_access deny advdom
-http_access deny spamdom
-# 4. Let through safe expressions
-#
-http_access allow christexp
-http_access allow safeexp
-# 5. Everything else is denied.  Do NOT put the AllowedHosts ACL in here
-#    or you will defeat the white-list.
-#
-http_access deny all
 </code>
-----
-===== Children's curfew =====
-Include the following into the same **Allowed Subnets** box.  Place the RULES section at the bottom, but remember that RULES are processed top to bottom order until the first one that matches the criteria is met.
-<code>
-# If you have children who have their own computers and for whom
-# you want extra protection, then try this idea:
-#
-acl children    src             "/etc/ffilter/kids.IPs"
-acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
-#
-# On week-days the kids need to stop using the Internet at 10pm,
-# but on Friday and Saturday we let them go until midnight:
-#
-acl curfew time SMTWH   22:00-23:59
-acl curfew time SMTWHF  00:00-7:00
-# RULES:
-#
-# Children's curfew
-#
-http_access allow curfewOK
-http_access deny children curfew
-#http_access deny children gamedom
-</code>
-----
-===== References =====
-https://ispltd.org/server_guides:proxy