default block all; allow whitelist

[godfather007]

Hi,

looking into webproxy to whitelist access to windowsupdate.com etc. for certain IP's.

Tried to allocate "*.*, 0.0.0.0/0.0.0.0"  to the blacklist but it only accepts single entries thus far: "meuk.com".

Is it possible through the GUI or should i create squid ACL lists at shell level?


Thanks

[godfather007]

For the record,

i would like to block all and allow *.windowsupdates.com etc.

Thanks

[jrmagots]

I'm looking for an option like these too

[nospam]

Why not just create a firewall rule allowing only LAN net to LAN net and LAN net to your desired WAN IP ranges?

[tomclewes]

I'm also looking for an answer to this and can't find one.

[Amr]

For the "block all" of the question you have three approaches:

1-From the GUI, Go to access control list and add all the TLD you can think of in the blacklist  EX: .com, .net ...etc
you can also add The following Regex expression to block all TLDs :  .[a-zA-Z]+
2-Add "http_access deny all" line in "/usr/local/etc/squid/squid.conf" file after "http_access deny blacklist" (Changes in squid.conf gets overwritten after updates)
3-Write a custom squid acl and put it in pre-auth.


You can reference these posts to see how to use custom ACL :
https://forum.opnsense.org/index.php?topic=16171.msg73968#msg73968
https://forum.opnsense.org/index.php?topic=6516.0

Why not just create a firewall rule allowing only LAN net to LAN net and LAN net to your desired WAN IP ranges?

nospam got a point, fetching windows updates through the proxy is problametic , Creating firewall rules would be easier , and if possible consider a WSUS if you want to save bandwidth.

[juliocbc]

Hello!

Not official plugin (based on squidguard) that can help you with that:

https://wiki.cloudfence.com.br/english/managing-rules (Take a look in the Rule Action).

Hope it helps!