default block all; allow whitelist

[godfather007]

Hi,

looking into webproxy to whitelist access to windowsupdate.com etc. for certain IP's.

Tried to allocate "*.*, 0.0.0.0/0.0.0.0"  to the blacklist but it only accepts single entries thus far: "meuk.com".

Is it possible through the GUI or should i create squid ACL lists at shell level?


Thanks

[godfather007]

For the record,

i would like to block all and allow *.windowsupdates.com etc.

Thanks

[jrmagots]

I'm looking for an option like these too

[nospam]

Why not just create a firewall rule allowing only LAN net to LAN net and LAN net to your desired WAN IP ranges?

[tomclewes]

I'm also looking for an answer to this and can't find one.

[Amr]

For the "block all" of the question you have three approaches:

1-From the GUI, Go to access control list and add all the TLD you can think of in the blacklist  EX: .com, .net ...etc
you can also add The following Regex expression to block all TLDs :  .[a-zA-Z]+
2-Add "http_access deny all" line in "/usr/local/etc/squid/squid.conf" file after "http_access deny blacklist" (Changes in squid.conf gets overwritten after updates)
3-Write a custom squid acl and put it in pre-auth.


You can reference these posts to see how to use custom ACL :
https://forum.opnsense.org/index.php?topic=16171.msg73968#msg73968
https://forum.opnsense.org/index.php?topic=6516.0

Why not just create a firewall rule allowing only LAN net to LAN net and LAN net to your desired WAN IP ranges?

nospam got a point, fetching windows updates through the proxy is problametic , Creating firewall rules would be easier , and if possible consider a WSUS if you want to save bandwidth.

[juliocbc]

Hello!

Not official plugin (based on squidguard) that can help you with that:

https://wiki.cloudfence.com.br/english/managing-rules (Take a look in the Rule Action).

Hope it helps!

[ml35]

Tried to allocate "*.*, 0.0.0.0/0.0.0.0"  to the blacklist but it only accepts single entries thus far: "meuk.com".
Is it possible through the GUI or should i create squid ACL lists at shell level?

This what worked for me in GUI. Came here from web search results looking to do the same (blacklist everything except some):

Put the list of allowed domains into the Whitelist field. If there are multiple, type each one then press enter. Use regex if you need.
Put dot followed by asterisk sign in the Blacklist field then press Enter. It should look like this:

Code: [Select]

.*
The above regex will match everything. in squid conf the whitelist is configured to first allow then the blacklist comes, so you don't need to manually edit the squid conf file.