Forums

Noah Dolph
Noah Dolph
Offline
Resolved
0 votes
So, I read in the documentation that you can setup groups of ips and name them and give them custom filtering rules...

I seem to be blind, because I can't find where to do this.

I need the group 192.168.3.30-50 to be restricted on the network to not be able to do anything but web access, nothing internal.

I need the rest of the IP range, 50-150 to be filtered web access but have access to everything else internally.

The idea here is the access points vendors connect to are on DHCP, and we don't want them accessing anything else inside the network here.

If anybody has a better idea on how to accomplish this, let me know...
Sunday, October 10 2010, 05:16 AM
Share this post:
Responses (9)
  • Accepted Answer

    Wednesday, October 13 2010, 08:47 PM - #Permalink
    Resolved
    0 votes
    Before making any changes to files listed in this post, make backup copies of them so you can put stuff back to what it was if it gets messed up on you.

    That said, you’ll want to enable authentication plugins in the script for the file etc/dansguardian-av/dansguardian.conf by removing the # symbol from this line: #authplugin = '/etc/dansguardian-av/authplugins/ip.conf'

    Additionally you’ll want to set the number of ipranges (i.e. filter groups) you plan on having assigned their own filtering rules in the same file (i.e. dansguardian.conf) by putting this number in the line: filtergroups = 2

    You could then duplicate a filter group file for each iprange you’re looking to assign different filtering rules to. You’ll find the default filter group in the directory etc/dansguardian-av/ and it’s called dansguardianf1.conf. Make sure each duplicate file is given a different number in its file name, keeping these numbers sequential; dansguardianf2.conf, dansguardianf3.conf, dansguardianf4.conf. etc.

    At the top of the script for each filter group file you just created there is a spot for a unique group name you’ll want to assign: groupname = 'Default'
    Change Default to whatever name you want to assign the group.

    Then, under /etc/dansguardian-av/lists/authplugins there is a file called ipgroups that allows you to assign ipranges to filter groups. An example exists in the script, but basically you need to assign the previously created filter group file(s), having one per filtergroup; 192.168.1.0-192.168.1.154 = filter1
    192.168.1.155-192.168.1.175 = filter2
    192.168.1.0-176.168.1.255 = filter3

    Restart the content filter at your command prompt

    Service dansguardian-av restart


    You should then be able to pull up the different filter groups by name in the webconfig, under the content filter settings.

    Don't try to add filter groups in the content filter configuration of the webconfig because messes up your file structure in the dansguardian-av directory. It's better to work directly with the files.
    The reply is currently minimized Show
  • Accepted Answer

    Eric
    Eric
    Offline
    Friday, October 15 2010, 04:24 PM - #Permalink
    Resolved
    0 votes
    Thank you, I was setting up another ClearOS just to filter some sites that should be allowed on some other IP range.

    With your instructions, it will work just to filter differently, by IPs not user?

    192.168.1.1-100 (admin machines, proxy filtered, webmails sites NOT allowed)
    192.168.1.101-200 (students machine, proxy filtered, webmails sites allowed)

    Will that scenario be possible to achieve with your instructions?

    Thanks in advance!
    The reply is currently minimized Show
  • Accepted Answer

    Friday, October 15 2010, 05:24 PM - #Permalink
    Resolved
    0 votes
    won't know if it works until you try it...by all rights it should...it's not going to hurt if you do try it, just copy the original files like I said and put them back if your changes don't work...you'll have to restart the content filter service like I posted

    certainly you can post the steps you take and the results to see if we can stumble through getting it to work
    The reply is currently minimized Show
  • Accepted Answer

    Friday, October 15 2010, 06:28 PM - #Permalink
    Resolved
    0 votes
    Can I make a suggestion that when you partition your IP ranges you look at doing it in nice subnets, e.g 192.168.1-127, 192.168.1.128-254 (technically 255 but you cant use 255 itself) or 0-63, 64-127, 128-192, 192-255? Then you can also use CIDR notation (e.g. 192.168.1.0/26 is the same as 0-63) to express the ranges. It may help you later on.
    The reply is currently minimized Show
  • Accepted Answer

    Eric
    Eric
    Offline
    Friday, October 15 2010, 06:30 PM - #Permalink
    Resolved
    0 votes
    Just tried, but nothing happened. I created 2 groups 'Adm' and 'Adm2', each with an IP range; added a site to the banned list, filtergroups = 3, etc. but the url continues to being accessed normally. Checked and rechecked, restarted dansguardian-av after each try... but nothing.

    Any other ideas?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, October 16 2010, 01:43 AM - #Permalink
    Resolved
    0 votes
    Try commenting out the user authentication line in dansguardian.conf that allocates the script that assigns users to filter groups, so that ipgroups authentication can take precedence. Use the # sign.

    # filtergroupslist = '/etc/dansguardian-av/lists/filtergroupslist'
    The reply is currently minimized Show
  • Accepted Answer

    Eric
    Eric
    Offline
    Monday, October 18 2010, 01:03 PM - #Permalink
    Resolved
    0 votes
    Just commented the line you suggested, nothing :(

    Well, I'm missiing something: on webgui, when any of the two 2 filter groups I've created ('Adm' and 'Adm2') there's an error on bottom of screen:

    No match found in file - /etc/dansguardian-av/dansguardian.conf for key /^filtergroupslist\s"=\s*/

    What should I check now?

    Thanks in advance.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 18 2010, 01:44 PM - #Permalink
    Resolved
    0 votes
    Sounds like you need to sign up with the dansguardian forums that have a wealth of knowledge. They actually use Yahoo for their forums, but as I said, they're very helpful. If you get it to work, please post your findings because this isn't the first time this subject has come up on the forums.
    The reply is currently minimized Show
  • Accepted Answer

    Eric
    Eric
    Offline
    Monday, October 18 2010, 02:59 PM - #Permalink
    Resolved
    0 votes
    Thanks Dirk, will do that :)

    Anyway, the last question was just filtergroups = 2, should be = 3 (Default, Adm and Adm2).
    The reply is currently minimized Show
Your Reply