EFW Support

Hi all,

This is my first post here.

I run EFW on a small company. I want to block all outgoing URL's except to the company's website and their webmail service. I.e the following urls must be allowed and everything else must be blocked.

samanala.net, chameleonlk.com and mail.google.com/a/samanala.net

How can i do it?

PS: also for 2 machines this rule should be ignored.

Thanks & regards,

Gayan

I'm Vietnamese, first sorry for my bad english.

1. You use "Squid Custom ACLs" - http://alumnus.caltech.edu/~igormt/endian/extras.html (http://alumnus.caltech.edu/~igormt/endian/extras.html)
    and more http://efwsupport.com/index.php?topic=428.0 (http://efwsupport.com/index.php?topic=428.0)

2. Custom ACL's:
        #--- Def Services Your Custom ---
          acl services_custom_only url_regex "/var/efw/proxy/acls/services_custom_only.acl"
       
        #--- Def Users App (Change Your IP)---
          acl users_apply src 192.168.1.0/24
          acl users_apply src 172.16.0.1-172.16.0.100

3. Custom Rules:
        #--- Set Services Your Custom ---
           deny_info ERR_SERVICES_CUSTOM_ONLY services_custom_only
           http_access deny users_apply !services_custom_only

PS:
1. New file edit by Notepad and Save as: services_custom_only.acl
# ---  Content your custom defined  here ---

sama.net
chameleonlk.com
mail.google.com/a/sama.net

# ---  End Content your custom defined ---

2. deny_info ERR_SERVICES_CUSTOM_ONLY services_custom_only: Your defined Error page more info squid error pages? Check /usr/share/squid/errors/English/ http://efwsupport.com/index.php?topic=553.0

3. If you access all gmail, you can set:
# ---  Content your custom defined  here ---

sama.net
chameleonlk.com
mail.google.com/a/sama.net
gmail.com
gmail.google.com
mail.google.com

# ---  End Content your custom defined ---


### Luck for you ###

Hello,

Thanks very much for the help. It solved my main issue. But now everyone inside the firewall is restricted to the above mentioned sites only.

I want to have 2 IPs or MACs to have unrestricted access to the internet.

Now how can i do that?

if you want to have a few ip addresses that no law shall apply to remove that address from the list applies.

#--- Def Users App (Change Your IP)---
          acl users_apply src 172.16.0.1-172.16.0.100 (not put that ip in this range.)

Thanks for your great support.

The problem that i have in this regard is that except the AD server, all the clients are on DHCP. So for now what i have done is:

#--- Def Users App (Change Your IP)---
acl users_apply arp MAC1
acl users_apply arp MAC2
...

to the pc's i want the acl to be applied. but anyways i'll try something like using statics for the other pc too and then use a range.

Thanks for the suggestion.

Oh BTW, your English is much better than many ;)
I can easily understand what you mean.

To se the MAC, you can refer to here: http://forums.opensuse.org/archives/sf-archives/archives-network-internet/341762-transparent-proxy-squid-2-6-suse-10-3-a.html (http://forums.opensuse.org/archives/sf-archives/archives-network-internet/341762-transparent-proxy-squid-2-6-suse-10-3-a.html)

Alternative 1

Custom ACL's:
...
# --- MAC address list does not apply to law ---
    acl mac_accept arp "/var/efw/proxy/acls/mac_exclusion.acl"

Custom Rules:
...
# --- Block all MAC addresses not declared in mac_exclusion.acl use other services ...
# --- Service was declared in services_custom_only.acl ---
    http_access deny !mac_accept !services_custom_only

PS:
     To create mac_exclusion.acl like creating files services_custom_only.acl

# ---  MAC address list ---
00:11:25:e8:3e:b4
00:1c:b1:33:7e:40
# ---  End MAC address list ---

Alternative 2
   
Using a fixed address allocated by DHCP server.

1. You can specify a DHCP server lease fixed range of addresses from 172.16.0.1 to 172.16.0.9 for the users that you do not want to apply the law.

2. Please allocate addresses in range 172.16.0.10 to 172.16.0.254 for the user you want to apply the law.