Project

General

Profile

Actions

Bug #4088

open

Buggy squidgurd config file is created

Added by Volker Kuhlmann almost 7 years ago. Updated 10 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
squidguard
Target version:
-
Start date:
12/09/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.1.5
Affected Plus Version:
Affected Architecture:
amd64

Description

The config file that is generated for squidguard 1.4_4 pkg v.1.9.6 is buggy in two ways, leading to unexpected and dangerous behaviour.

1) Do not write out sources for disabled ACLs, or squidguard treats these
sources as "always pass"!

2) Squidguard doesn't know log statements in the action block for sources in the
acl block.

Patch attached.


Files

squidguard_configurator.inc.diff (2.32 KB) squidguard_configurator.inc.diff Fix 2 areas where teh created config is buggy. Volker Kuhlmann, 12/09/2014 05:44 AM
squidguard-src-disabled-and-log-statements_1.9.15.diff (5.25 KB) squidguard-src-disabled-and-log-statements_1.9.15.diff Fix for both problems, pfsense pkg 1.9.15. Volker Kuhlmann, 09/28/2015 07:06 PM
Actions #1

Updated by Volker Kuhlmann almost 7 years ago

Issue 1) renders squidguard useless because it bypasses it entirely.

I can't seem to change the bug priority. I was hoping the squidguard package updates actually fix problems :-(

Actions #2

Updated by Kill Bill about 6 years ago

1/ The patch appears incomplete at least regarding #2 - consider https://github.com/pfsense/pfsense-packages/blob/master/config/squidGuard/squidguard_configurator.inc#L1110
2/ Please, submit any fixes as pull requests on GitHub: https://github.com/pfsense/pfsense-packages

Actions #3

Updated by Volker Kuhlmann about 6 years ago

If you can't have log statements in ACL blocks then you can't have log statements in ACL blocks, so best to give up on that idea. The case is already been taken care of by the log statement in the dest block, the ACL statements are only about whether to pass the request, whether that is decided by time is irrelevant. As I understand it your objection is invalid.
Do not put unexpected config material into squidguard ever, it is very unpredictable then!

Sorry, no github yet. I have already provided the fix for problems, running patch should be managable. I am attaching a new patch for those who don't want to wait for a substantally broken squidguard to get sorted out.

Actions #4

Updated by Viktor Gurov 11 months ago

1) Do not write out sources for disabled ACLs, or squidguard treats these

sources as "always pass"!

fix:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/27

Actions #5

Updated by Renato Botelho 10 months ago

  • Status changed from New to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions

Also available in: Atom PDF