URL filter time constraints

Help on building IPFire & Feature Requests
Post Reply
Tim Hart
Posts: 7
Joined: February 25th, 2013, 10:14 pm

URL filter time constraints

Post by Tim Hart » March 2nd, 2013, 2:26 pm

Hi - I have 3 different time policies configured for different machines at different times of the day.  The 1st and 2nd in the list work correctly,, but the 3rd doesn't.  Are there any known issues?

Screenshot attached.

I'm running 2.13 core 65 arm on a raspberry pi.  Everything else works perfectly.

Thanks

Tim

BeBiMa
Posts: 2823
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: URL filter time constraints

Post by BeBiMa » March 2nd, 2013, 2:34 pm

Is that right that you want to block your whole green net from 0:00 to 17:00 at saturday and sundays?
Image
Unitymedia Cable Internet ( 32MBit )

Tim Hart
Posts: 7
Joined: February 25th, 2013, 10:14 pm

Re: URL filter time constraints

Post by Tim Hart » March 2nd, 2013, 2:46 pm

Hi - this is a url filter policy and the 'harts' group just blocks a few iptv sites I want to limit my kids watching until the evening.  They can still get to all those useful sites they need for their homework.

So the semantics are correct ad the top two effective - just not the 3rd.

Thanks

Tim

BeBiMa
Posts: 2823
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: URL filter time constraints

Post by BeBiMa » March 2nd, 2013, 2:53 pm

sorry, didn't look at the destination field.  :-[

Nevertheless, could you specify what exactly doesn't function?
Image
Unitymedia Cable Internet ( 32MBit )

Tim Hart
Posts: 7
Joined: February 25th, 2013, 10:14 pm

Re: URL filter time constraints

Post by Tim Hart » March 2nd, 2013, 2:59 pm

On mon-fri, the 1st two policies block sites as expected.

Today (the 1st weekend I've had ipfire running), the 3rd policy doesn't appear to be active - it is not being applied when I compare urlfilter vs proxy logs.

It is as if the code is applying only n-1 of the list.

Thanks for the prompt replies.

Jan_B
Posts: 83
Joined: June 28th, 2011, 10:43 am
Location: Bremen

Re: URL filter time constraints

Post by Jan_B » March 2nd, 2013, 7:23 pm

I guess you restarted the Proxy after applying these policies?
Image
Image
Image
Image

Tim Hart
Posts: 7
Joined: February 25th, 2013, 10:14 pm

Re: URL filter time constraints

Post by Tim Hart » March 2nd, 2013, 7:38 pm

Yes, rebooted to be sure.  I'll try a 4th later to see if the 3rd becomes effective tomorrow.  Authorised change windows restricted of course as per any house with teenagers I suspect.

Jan_B
Posts: 83
Joined: June 28th, 2011, 10:43 am
Location: Bremen

Re: URL filter time constraints

Post by Jan_B » March 2nd, 2013, 7:52 pm

Maybe I got it.
Your range where the policy should be applied is set to
192.168.0.1/24

But if you mean the whole 192.168.0.1 - 255 network, then it should be 192.168.0.0/24

Please try this and report back.



Also if Alana has the static IP-address 192.168.0.64 then you can modify the source match rule to 192.168.0.64/32 instead of /29.
Same would fit for Dominic.
Last edited by Jan_B on March 2nd, 2013, 8:00 pm, edited 1 time in total.
Image
Image
Image
Image

BeBiMa
Posts: 2823
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: URL filter time constraints

Post by BeBiMa » March 2nd, 2013, 8:15 pm

The settings should go to /var/ipfire/urlfilter/squidGuard.conf.
Can you find them there?
Image
Unitymedia Cable Internet ( 32MBit )

Tim Hart
Posts: 7
Joined: February 25th, 2013, 10:14 pm

Re: URL filter time constraints

Post by Tim Hart » March 2nd, 2013, 8:50 pm

Hi I've changed the netmask as suggested thanks and yes can see the config in squidguard.conf. Will report back tomorrow to confirm success.  I'm using a /29 as they both have a couple of devices - laptop and phone.  Ok /30 would have been ok, but i have expansion room if necessary.  They are hard coded dhcp entries.

I only block direct http/https for their subsets, forcing them to use the proxy.  Other machines, picking up a dhcp address lower down the subnet have direct routed access. I've hung the pi off my main broadband router, creating a 2ndary LAN with a wap just used by the kids.  I did this for performance reasons, but the pi seems surprisingly fast.

Many thanks for the help.

Tim

Tim Hart
Posts: 7
Joined: February 25th, 2013, 10:14 pm

Re: URL filter time constraints

Post by Tim Hart » March 3rd, 2013, 11:23 am

Testing update:

The time constraint appears to be created incorrectly in squidGuard.conf.

After restarting last night, you can see the SS is missed out for constraint no. 3:


src network-1 {
    ip 192.168.0.64/29
}

src network-2 {
    ip 192.168.0.80/29
}

src network-3 {
    ip 192.168.0.0/24
}

time constraint-1 {
    weekly mtwhf 00:00-20:00
}

time constraint-2 {
    weekly mtwhf 00:00-19:00
}

time constraint-3 {
    weekly as 00:00-17:00
}

I then added a 4th test constraint and restarted - the day inserted ok for 4th, but still missing for 3rd:

src network-1 {
    ip 192.168.0.64/29
}

src network-2 {
    ip 192.168.0.80/29
}

src network-3 {
    ip 192.168.0.0/24
}

src network-4 {
    ip 192.168.0.200/32
}

time constraint-1 {
    weekly mtwhf 00:00-20:00
}

time constraint-2 {
--More--(9%)    weekly mtwhf 00:00-19:00
}

time constraint-3 {
    weekly as 00:00-17:00
}

time constraint-4 {
    weekly f 00:00-24:00
}

Then I deleted the 3rd, added (so it now the 4th) and restarted, but still no days:
src network-1 {
    ip 192.168.0.64/29
}

src network-2 {
    ip 192.168.0.80/29
}

src network-3 {
    ip 192.168.0.200/32
}

src network-4 {
    ip 192.168.0.0/24
}

time constraint-1 {
    weekly mtwhf 00:00-20:00
}

time constraint-2 {
--More--(9%)    weekly mtwhf 00:00-19:00
}

time constraint-3 {
    weekly f 00:00-24:00
}

time constraint-4 {
    weekly as 00:00-17:00
}

Screenshot shows the GUI to match this config.

So to me, this looks an issue with the way the input from the GUI is parsed before the conf file is written when just weekends are selected?

Next I edited the 3rd constraint and added sat and sun - the day was changed to fas successfully in the conf.

Thanks

Tim

BeBiMa
Posts: 2823
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: URL filter time constraints

Post by BeBiMa » March 3rd, 2013, 1:22 pm

All constraints are there!
Tim Hart wrote:time constraint-1 {
    weekly mtwhf 00:00-20:00
}

time constraint-2 {
    weekly mtwhf 00:00-19:00
}

time constraint-3 {
    weekly as 00:00-17:00
}


mtwhf means monday tuesday wednesday thursday friday
as  means saturday sunday

But these are only the definitions. At the end of the file there should be the rules like

Code: Select all

acl {
    unfiltered {
        pass all
    }

    network-1 outside constraint-1 {
        pass none
    }

    default {
        pass custom-allowed !ads !aggressive !alcohol !costtraps !dating !drugs !gambling !hacking !military !models !porn !recreation_martialarts !remoteco
        redirect http://reset.ch/
    }
}

Of interest are the rules combining network-x with constraint-y.
Image
Unitymedia Cable Internet ( 32MBit )

Tim Hart
Posts: 7
Joined: February 25th, 2013, 10:14 pm

Re: URL filter time constraints

Post by Tim Hart » March 3rd, 2013, 2:10 pm

Ah yes - got confused with the 'as'.

The mappings are there, with the harts group referenced for 1, 2 and 4.

How are the acls combined?  Is the problem that my one network is a subnet of another?

acl {
    network-1 within constraint-1 {
        pass !harts !ads !aggressive !drugs !finance_trading !gambling !hacking
!porn !proxy !violence !warez !custom-expressions any
    }

    network-2 within constraint-2 {
        pass !harts !ads !aggressive !drugs !finance_trading !gambling !hacking
!porn !proxy !violence !warez !custom-expressions any
    }

    network-3 within constraint-3 {
        pass !ads !aggressive !drugs !finance_trading !gambling !hacking !porn !
proxy !violence !warez !custom-expressions any
    }

    network-4 within constraint-4 {
        pass !harts !ads !aggressive !drugs !finance_trading !gambling !hacking
!porn !proxy !violence !warez !custom-expressions any
--More--(93%)    }

    default {
        pass !ads !aggressive !drugs !finance_trading !gambling !hacking !porn !
proxy !violence !warez !custom-expressions any
        redirect http://192.168.0.1:81/redirect.cgi
    }

Post Reply