Category Archives: Howto

Installing RouterOS on WatchGuard Firebox x1250e – With Hardware Mods!

When I set out to find a budget 1u rack mounted Firewall to install RouterOS on, I discovered the WatchGuard Firebox. I have zero experience using Watchguard products, but I discovered there is quite a following for this hardware platform and discussion on pfSense related websites, blogs and forums discussing various methods of modifying these Firebox units, including manipulating the bios, adding vga outputs, keyboard inputs, and hard disks, I figured this looks like fun, so what the heck. I ordered a Watchguard Firebox x1250e off ebay for around $100. The good news is that you wont need to haggle with any of that nonsense the pfSense crowd has to deal with, in order to get this working.

I googled around a bit to find out as much as I could about the procedures and if anybody else had any success at doing what I was about to attempt. I could find very little related to Mikrotik RouterOS being installed on WatchGuard Firebox units. Besides a few posts from a decade ago on Mikrotiks forums about a few guys who got it to work back in the day, there was nothing. Which is precisely why I am writing this article, so that the next person whos googling, will find this article and know, that the answer is YES, you can do it, and YES its very easy.


The unit arrived with a bad power supply, which I had to order a replacement for, but once I had the replacement power supply installed, I quickly got the unit up and began testing it. I wasnt able to login to the web interface due to some custom configuration the previous owner had done, not even after performing a factory reset of it, following the procedures on Watchguards website for factory reset, the damn thing still had somebodies configuration loading, presumably from a configuration somewhere on the cf card.

So, I simply loaded up Mikrotik’s Netinstall software from within Windows and installed RouterOS directly to the stock 512mb CF Card that shipped with the Firebox x1250e.

I placed the CF card which now had RouterOS on it, back into the Firebox x1250, turning it on, and I waited a bit, the unit seemed to not be doing anything, I began to become concerned, but then I observed the hard disk LED indicator light on the front of the Firebox x1250e unit was pegged solid, but it would flicker occasionally, indicating to me that the magic was happening.

I decided to remain patient, and leave it alone, and Im glad that I did. After waiting about 10 minutes in total, and hearing a system beep at the end of each boot up, I concluded that it took about 2-4 reboots for RouterOS to configure itself before it was finished installing and setting up. ( It boots REALLY fast after completing the install as a matter of fact.)

RouterOS x86 finally installed on my unmodified Watchguard Firebox x1250e. I then proceeded to install the optional LCD software package which can be downloaded from RouterOS.com And after tinkering around a bit, I discovered there is a selection of different LCD types from within the LCD Package menu, the vitek-vc2025-2 was the option that worked for the x1250e unit that I had. It just worked, like a charm. Good job Mikrotik!

Next, I purchased an x86 Level 4 RouterOS license from Roc-Noc and I am extremely happy with the outcome. And just a heads up to new customers, you will need to wait a while for RocNoc to email you your license, but dont worry, they will, and if you are impatient like me, just email them, a rep will send you your license relatively quickly.

Next, I proceeded to setup firewall rules and schedule the automatic DNS Ads and Malicious blacklist updates from Squidblacklist.org. I have also decided to order a replacedment LCD to upgrade the ugly yellow display.

DNS filtering with Firebox x1250e & Mikrotik RouterOS:

DNS Blacklisting is a snap with blacklists from Squidblacklist.org
DNS Blacklisting is a snap with blacklists from Squidblacklist.org

As you can see in the image above, I have easily imported three DNS blacklists from Squidblacklist.org so that I can filter some unwanted content. I selected three categories, Ads, Malicious, and “CP”. Over 107,643 domain names are now blacklisted in our DNS server and will not resolve.

The impact of this many entries is that we now have consumed approx 600mb of system memory, and minimal hd or cpu usage. DNS Response times are as fast as they can be, and the system performance is rock solid. I have scheduled daily updates for these blacklists as well, using system scheduler.

Booting the Router is considerably longer, due primarily to the poor io bandwidth of the CF card while the OS loads up the DNS server with thousands of static entries. Once it is up and running however, its done. After the RouterOS boots completely, there is a 5 minute additional waiting period of heavy cpu usage befoe the DNS server will begin responding to DNS Queries. I recommend installing a mini PCI-e SSD, the same type found in laptops. This would most certainly alleviate the issue with the CF card read/write IO.


April 3 2017: Upgrades arrive.

Memory And Cpu Upgrades For Fireboxx1250e

Ok so the above mentioned parts are here. I was eager to update the blog post, however, I still have to wait until after midnight after everybody goes to sleep before I interrupt service to pull the unit out of the rack and get the Firebox x1250e upgraded. Otherwise I will never hear the endless complaints about the outtage.

2x 1GB DDR2 6400
x1250e Memory Upgrade – 2x 1GB DDR2 6400

Installing the memory should be a snap, I suspect the unit may support larger modules, I will test a single 2gb module I happen to have here in the lab during the procedure, if it works, I will order a second matching stick and get the unit maxed at 4GB. But the documentation says the unit only supports a maximum of 1gb per slot, which I doubt is accurate. Theres only one way to find out. (Ill edit this section of the article after I find out.)

Update: Maximum Memory Determined.
I have tested two 2GB sticks of DDR2 PC-6400 in the Firebox x1250e, and I have concluded that the maximum installable memory in the Firebox model x1250e to be 2GB. Which is a bit annoying because the unit does post up with a single 2GB stick in either slot, but when I tried to place both sticks in at the same time, the unit simply wouldnt post at all. So I decided to reinstall both 1GB sticks and Im actually satisfied with that, for my own use as a gateway, Im not even consuming half of that yet.

Firebox x1250e CPU Upgrade - Pentium M 780 SL7VB
Firebox x1250e CPU Upgrade – Pentium M 780 SL7VB

It seemed like it took forever to get the cpu from Shenzhen China. But its here, a Pentium M 780 2.26ghz/2M/533. No speed demon by todays standards, but its certainly twice as much cpu power as the 1.3ghz Celeron that shipped with the unit and will effectively max the cpu out. There is no faster cpu made for this hardware architecture without getting into some insane overclocking voodoo.


Upgrading the Firebox x1250e CPU:
Firebox x1250e CPU Jumpers
Firebox x1250e CPU Jumpers

There are some jumpers on the motherboard which must be switched. It is clearly indicated on the motherboard which dip switches must be flipped for a Dothan or a Banias core cpu. Now the Celeron that shipped with the unit is a Banias core, and the Pentium M 780 is a Dothan core. So, I set the switches appropriately as indicted on the diagram and booted up, eagerly anticipating 2.2ghz.

Cpu isnt running at full speed.
Cpu isnt running at full speed.

Problems with the Pentium M 780
RouterOS reports that the Pentium M 780 cpu is running at 1700mhz, when it should be at running at its rated speed of 2.26ghz. So I scratched my head, and I thought for a moment and got to work. I shut down the unit and began playing around with the dip switches to see if I could get it to post up at the right speeds with some sort of magical, undocumented combination of dip switch settins, like we old timers used to do back in the socket 7 era with Pentium and K6 chips.

After exhausting every possible combination of dip switch settings, I determined that I could not, and after a dozen frustrating reboots, exhausting every possible combination of different dip settings, and waiting each time. I finally just set it as directed on the motherboard diagram for a Dothan core, put it back in the rack and fired it up. This Firebox x1250e was apparently going to run at 1700mhz whether I liked it or not.

I can only assume one of two possibilities. This motherboard may not support the 533fsb of the Pentium M 780 and the guy who discussed using a 533fsb cpu upgrade in this unit on the pfsense forum was full of crap. It is entirely possible that the BIOS needs to be updated because it simply doesnt have the microcodes for this cpu, and it just doesnt know what to do with it. The Pentium M 780 has a 17x multiplier, and that would explain why its running at 1700mhz(Quad Rate DDR 4x 100mhz x 17 Multiplier = 1700mhz).

Upgrading the BIOS on this mainboard isnt going to be as simple as it would be it it were a desktop motherboard. So I am going to abandon the Pentium M 780 and insteadm, Im going to order another cpu, one with a 400mhz fsb. The new cpu should be cheap and easy to find. The fastest 400mhz bus Pentium M made, according to this chart on wikipedia, is a Pentium M 765 (SL7UZ or SL7V3) 2.1GHz/2MB/400. And I just purchased the Pentium M 760, which was a mistake because it too is a 533mhz part. I have ordered a third cpu, a Pentium M 755 which is indeed, a 2.0ghz/2mb/400mhz part, which should arrive next week some time, Ill update the blog as soon as I have it installed.

CF Card IO Performance
The IO bandwidth of the CF card that ships with the Firebox x1250e is rather limiting, which isnt much of an issue if you are just using it as a router, until you begin working with large blacklists or other large data files, so one might imagine that the Firebox x1250e could perform quite a bit smoother using an SSD rather than a CF Card.

x1250e has a 4x pci-e slot
x1250e has a 4x pci-e slot

Fortunately, there appears to be a normal looking 4x pci-e slot near the CF Card slot, within which, we should be able to have an SSD installed.I have no doubt that the system would be more snappy, reliable, faster to boot, and especially our specific deployment, the x1250e would load blacklists considerably faster with an SSD installed.

In 2017 I imagine it should be relatively easy to locate, obtain, and install a ribbon extension for the Pci-e slot, and add a small SSD for next to nothing, with relative ease and a little creative placement of the hardware, I look forward to performing this modification in the future and will update this blog post as soon as I have some related content.

Audio Anomaly:
This is a bit trivial, but noteworthy none the less, an amusing script that produces a ‘Star Wars Imperial March’ jingle from the system speaker doesnt sound like it should on an actual Mikrotik Routerboard. It does play. But it doesnt sound quite right at all.

LCD has Arrived:

Firebox-x1250e-LCD-mod
A New Firebox x1250e LCD Upgrade

Ok so the replacement ‘5V 20×2 Character LCD Module’ has arrived.

Just got done soldering in the replacement LCD and I wasnt sure what to expect, but after a few seconds, as you can see it went well.


And a dark shot showing the glorious end product safely running in production under lock and key.

To be continued….

Want to filter unwanted websites with a WatchGuard Firebox or a RouterOS Device?


Subscribe and download all of our blacklists.

Flat rate subscription. For full access to all of our works, select a membership option & subscribe today.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Updates and Changes to Mikrotik RouterOS Blacklists

There have been some changes in the latest version of Mikrotik RouterOS, which meant we really had no choice but to make some minor changes, otherwise the old format simply would fail to work when you tried to load them into a current version of Mikrotik RouterOS ( version v6.37 or newer ).

It seems Mikrotik decided, for whatever reason, to change the way static dns entries are handled.

RouterOS DNS Static Entry Change - Side by Side Comparison
RouterOS DNS Static Entry Change – Side by Side Comparison

As you can see in the image above , the changes were significant enough to force us to make the changes, if you are havin any issues loading our blacklists then you should update to the latest version of RouterOS as soon as possible.

We also decided that it would be best to add a single line to the headers included in each blacklist, to remove old entries befoe loading the new ones. Of course any knowledgeable admin would know to do this, but we felt is was something that should already be included in the blacklists for your convenience.

NEW FORMAT:

# TiK-DNS-Ads: Blacklist compiled by SquidBlacklist.org 10-01-2016. -MADE IN USA-
:log info "tik dns ads blacklist script import started"
:local redirectIP "127.0.0.1"
/ip dns static remove [find comment="sbl ads"]
/ip dns static
add regexp="^(.*\\.)\?004\\.frnl\\.de\$" address="$redirectIP" comment="sbl ads"
add regexp="^(.*\\.)\?01s\\.net\$" address="$redirectIP" comment="sbl ads"
add regexp="^(.*\\.)\?01viral\\.com\$" address="$redirectIP" comment="sbl ads"
add regexp="^(.*\\.)\?0427d7\\.se\$" address="$redirectIP" comment="sbl ads"
add regexp="^(.*\\.)\?0702\\.de\$" address="$redirectIP" comment="sbl ads"
add regexp="^(.*\\.)\?0ca\\.net\$" address="$redirectIP" comment="sbl ads"

I hope this will help to clarify for those of you who are scratching your heads about the sudden changes.

Thank you for your support.

Signed,

Benjamin E. Nichols
http://www.squidblacklist.org


Blacklisting has Evolved. Subscribe Now!

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Using Squidguard and Pfsense to Url Filter with Domain Blacklists from Squidblacklist.org

Using Squidguard and Pfsense to Url Filter with Domain Blacklists.

pfsense Logo

URL filtering is one strategy used to filter access to websites based the domain name and/or url. There are several commercial products available for URL or domain content filtering, but you could easily build a very reliable system on your own using SquidGuard and pfSense. SquidGuard is a useful add on package for the Squid proxy server and can be used to filter or redirect web requests on the network.

SquidGuard has a long list of features that can be tailored to fit your needs. It’s also rather fast and does’nt slow down the internet for your clients. If you do need to block access to a list of unwanted websites or only allow access to a whitelist of specific web sites, SquidGuard can certainly assist with this.

SquidGuard is also very flexible, and it is easy to adapt to different applications. If you intend to do basic URL filtering on your home network or if you need to create some complicated rules for a large private or public network SquidGuard can do it.

Before you can put a web filtering proxy under pfSense into production, some configuraation is required. If you are new to pfSense I might recommend reading through the instructions that shit with pfSense.

Install the package SquidGuard Package

SquidGuard & Squid proxy can both be installed using the pfSense package manager. To access the pfSense package manager, click packs on the system menu. Select the tab available packages and scroll down where you will find SquidGuard and Squid proxy individually, click the plus sign next to each item to begin the installation.

Once the installations are complete you will have a new menu item called proxy services/filter.

Blacklists

To set up domain blacklist, open the general settings page ‘Filter Services & Proxy’. Click the checkbox to activate the domain blacklist.

You can use one of several different domain black lists publicly available on the web. You can also find a list of several blacklists from http://www.squidblacklist.org. We have our blacklists available in multiple formats, but likely, youll want the standard directory formatted archives located at the following url. http://www.squidblacklist.org/downloads/squidblacklists/squidblacklist.tar.gz


Subscribe Today – Paypal or Credit Card Accepted.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Excluding URL blacklist

There may be some places that you need to allow your users to access. To prevent these sites from locking can create a new category of destination and add a list of domains or URLs that should not be blocked.

To do this click the target categories tab, and then click the plus sign to add a new category. You must assign a unique name to the new category, the name you choose can not contain spaces.

The target category can filter by domain name, URL, or an expression. Add a domain site will grant access to the main site and all its sub-pages. Entering a URL allows access only to that exact website. Expressions allow you to grant based on certain keywords access.

When finished, click Save, and then back to the common ACL tab or group (wherever that created the rule) and select and action whitelist for your new category.

You can also use this same method to add additional sites to its blacklist.

Filtering by Expression

In addition to the domain and URL filtering SquidGuard can create filters using regular expressions. These types of filters are great when you want to search for specific text strings in a URL to make a decision for this search. If you are unfamiliar with regular expressions can be a bit confusing at first, but there are many online resources on the subject, so I will not go into much detail about them in this article.

To create a filter that uses an expression, click the target categories tab, or create a new category or edit an existing one. Enter the expression you want to filter in the expression box and then click Save. Then go back to the common or group ACL tab and select the action (deny, permit, etc.) for your target category.

Here are some examples of filter expressions are presented. These can be edited according to what to filter. For more useful information about filtering regular expressions http://www.squidguard.org/Doc/Examples review.

Downloads based on file extension block

(* \ /.* \ (Zip | .. Rar | exe | msi | mpeg | avi))

Block certain TLDs

(.gov | .xxx | Mil | .net)

Block search “bypass proxy” on Google and Yahoo

(.*(google|yahoo).*(search_query|keywords|search|query|q|p)=.*(\+|\%20)*(proxy|bypass).*(\-|\+|\%20).*(proxy|bypass).*)

Programming rules & Time-based rules

SquidGuard also allows you to apply URL filtering based on schedules. Times are useful for applying rules at different times during the day, or only on certain days of the week.

For example, you could apply URL filtering rules strict office hours and automatically disable the rules after 17:00. If you are filtering your home network you may not want the children to visit certain sites during the school week, this is another example in which a time-based rule would be used.

To create a rule-based time, click the time tab and then click the plus sign to create a new schedule. You can create as many different times as you need.

Schedules can be applied using the ACL Groups tab. Create a new ACL or edit an existing group, then click the “time” drop-down box select the schedule you created.

Do not forget to click Apply on the General tab for the settings to take effect.

Conclusion

Commercial Web filtering devices can be very expensive and difficult to handle. PfSense SquidGuard and are completely free and very powerful. SquidGuard offers many other features that are not covered in this center. For more detailed information, visit SquidGuard.org and check out the documentation section. Also be sure to check out some of my other centers to learn about more ways to use pfSense on your network.
Guidelines pfSense

pfSense Bandwidth – Setting Traffic Shaping
Heavy users wide band can slow the entire network. This center will show you how to use pfSense to set traffic shaping to prioritize Internet traffic.
Dual Wan Router – How to load balance with pfSense
Dual WAN Routers allow you to increase the bandwidth of the Internet on your network by combining two Internet connections. Using pfSense can turn an old computer into a powerful multi WAN router.
How to set up a transparent proxy using squid pfSense
Proxy servers can be very useful for improving the speed of an Internet connection by caching, log Internet usage, or filter traffic. Learn how to set up a transparent proxy using pfSense.

Updating Blacklists For RouterOS From Squidblacklist.org

Content filtering using domain name blacklists on Mikrotik RouterOS devices.

To automatically download or update your blacklists from Squidblacklist.org onto your RouterOS devices, there are several methods, but the most straightforward is going to likely be using winbox and the system scheduler.

To update your blacklists we can use the following example to fetch tik-ads.rsc:


/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/squidblacklists/tik/dns/tik-dns-ads.rsc user=some-username password=some-password

Scheduled Automatic Blacklist Download.
Scheduled Automatic Blacklist Download.

Now that we have scheduled a task to download the blacklists, we need to also add a task to actually import the blacklists. Its a good idea to schedule this to run a few minutes later.

Scheduled RouterOS Blacklist Import
Scheduled RouterOS Blacklist Import

:log warning "Disabling system Logging";
import tik-dns-ads.rsc
/system logging enable 0


Also see our other RouterOS related materials. Mikrotik RouterOS Malicious IP Blacklist – Firewall Import Script – Gratis
Mikrotik RouterOS Blacklist Validation Testing & Compatibility Chart Update Posted.
Mikrotik RouterOS Blacklists


Get a username and password – Subscribe now.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Squid Proxy: Creating custom error pages for each ACL

I have been asked several times how to do create custom error pages for each acl in squid proxy, so Im going to write a small blog entry on the subject in the hopes that somebody will find it useful. It isnt rocket science and it is not complicated.

This is the result a user might see using a custom squid error page..
This is the result a user might see using a custom squid error page..

When using many different acls to control traffic, one may choose to have some different error pages to indicate which specific ACL is was that blocked traffic. This is crude and gets the job done without complicated cgi scripts. The reasons for doing this are simple, sometimes its nice to know which blacklist is blocking your content, specifically in the case of a false entry or a domain that you would like to add an exception for.

In the following excerpt from a squid.conf you can see the required entries are made to allow for custom error pages for porn, malicious and ads. This is all that is required as far as the conf is concerned to get this done.

deny_info ERR_PORN_ACCESS_DENIED porn
http_access deny malicious
deny_info ERR_MALICIOUS_ACCESS_DENIED malicious
#http_access deny dating
#http_access deny gaming
#http_access deny gambling
#http_access deny piracy
#http_access deny proxies
#http_access deny pharma-rx
#http_access deny blasphemy
http_access deny ads
deny_info ERR_ADS_ACCESS_DENIED ads

Locating Squid default error pages in a terminal.
Locating Squid default error pages in a terminal.

Of course, you will need to create these files and put them in your default error page templates directory located on your Squid Proxy machine. The file ( ERR_ADS_ACCESS_DENIED ) in this case, is not simply a copy of the default file that ships with the precompiled version of Squid we installed on a Debian box, but rather one of our custom error pages available from www.Squidblacklist.org ( ERR_ACCESS_DENIED ) was copied and the text “CATEGORY MALICIOUS” was added.

If you are unable to find these files or are lost and cannnot find the directories where these files are stored on your squid proxy server, simply run a locate command to see if you can find them as shown in the following image.

Locate squid default error pages from a terminal session.
Locate squid default error pages from a terminal session.

If you are interested in some default error pages, we do have some available for download here.


Get a username and password – Subscribe now.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Also see:
Page Free blacklists suck , and heres why.

Installing and configuring the squidGuard web filter

squidguard
Installing and configuring the squidGuard web filter

Intro

This page was originally hosted by the official SquidGuard maintainers, however since they refuse to add our referral link as a reputable blacklist provider, we will do it for them. This howto, well it has not been updated in many years, but I’ll modify and update it here, as the information may still be useful. The definitive place to fetch the blacklists is: http://www.squidblacklist.org Use the “DG/SG Compatible Standard Format”.

and now back to the “vintage” documentation….

With the passage of the Children’s Internet Protection Act, schools are required to filter access to the internet in order to be eligible for E-Rate funds. E-Rate can be a substantial amount of money. With tightening budgets, foregoing the E-Rate funds will not be an option in most cases.

Unfortunately, commerical web filtering software is very expensive.

This puts quite a burdon on under-funded schools. They need the E-Rate funds to help pay for internet access, but in turn must spend a significant amount of money on filtering software.

The good news is that there exists free content filtering software. Until recently, MESD had been using expensive commercial content filtering software. We are very pleased with the performance of SquidGuard, the schools we support report that they much prefer SquidGuard.

Official Site
The official squidGuard web site is located here:

http://www.squidguard.org

Installation
First and foremost, you need to start off with a properly configured system that supports the Squid proxy server. Squid is licensed under the GNU General Public License which means that is free, both in the sense of free beer and free speach. Squid runs on a number of operating systems. Currently Linux, *BSD, Tru64, IRIX, Solaris, SCO, AIX, HP-UX, and NextStep are officially supported. MESD recommends Linux or OpenBSD. MESD uses the Immunix version of Linux. Most versions of *BSD and Linux include Squid.

If you are running Red Hat 7.2 server, you can download a squidGuard RPM here:

ftp://k12linux.mesd.k12.or.us/pub/squidGuard/

After installing this package, you can activate squidGuard by adding the following line to the squid configuration file (/etc/squid/squid.conf):

redirect_program /usr/sbin/squidGuard -c /etc/squid/squidGuard.conf

and restart squid:

/sbin/service squid restart
/sbin/chkconfig squid on

For full instructions on installing squidGuard, see the squidGuard website: http://www.squidguard.org/install/

Configuration
Configuring squidGuard is very straight-forward. The default location for the block lists is /usr/local/squidGuard/db/. Each category is located in a different directory. Currently, the categories available are ads, aggresive, audio-video, drugs, gambling, hacking, porn, violence, and warez. The configure file is /etc/squid/squidGuard.conf. Here is a sample configuration file:

dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log

dest gambling{
log gambling
domainlist gambling/dg-gambling.acl
}

dest porn{
log porn
domainlist porn/dg-porn.acl
}

acl {
default {
pass !gambling !porn all
redirect 302:http://www.google.com
}
}

dbhome defines where the block list databases are located
logdir defines where to log blocked requests
dest defines a category
acl defines the access control lists.

This example configuration defines two categories, gambling and warez. The acl line says that the default action is to block (!=don’t pass) gambling and warez categories and to permit everything else. The redirect line says to send requests to blocked sites to http://www.google.com, change this to fit your needs.

The default configuration file, /etc/squid/squidGuard.conf is much more extensive. See the squidGuard homepage, http://www.squidguard.org/config/ for all of the configuration options available.

Updates
The Red Hat 7.2 RPM is not configured to automatically download the Squidblacklist.org blacklists every night, this can easily be done using cron and wget with a simple bash script. Squidblacklist.org combines al of the blacklists they publish into a single file or individually, compressed or decompressed, and they are available from the following url. http://www.squidblacklist.org/downloads.html.

Making changes to the blacklists is very easy. The squidGuard RPM is prefconfigured with two locally-modifable databases, /var/squidguard/blacklists/local-ok/ and /var/squidguard/blacklists/local-block/. Each database has two files: domains and urls. Squidblacklist.org publishes domain based blacklists, NOT URLS. Regardless, if you want to block/unblock a whole web site, append the domain name to the domains file or you could just create your own custom acl by creating a new entry in your conf.

To easily whitelist a site, for example, if you want to make sure that web pages at CNN’s web site are never blocked, you can append cnn.com to the end of /var/squidguard/blacklists/local-ok/domains. If you want to make sure that all of the pages at somebadsite.com are blocked, append that to /var/squidguard/blacklists/local-block/domains. If there is just a specific portion of a website you want blocked, say http://www.yahoo.com/adult-stuff/, you can add “yahoo.com/adult-stuff” to /var/squidguard/blacklists/local-block/urls.

Once you’ve made the modifications, you need to run a command or two for the changes to take. If you are using the pre-built RPM, you can run:

/usr/sbin/update_squidguard_blacklists

If you are not using the pre-built RPM, these commands should do the trick for you:

su squid -s /bin/sh -c “/usr/sbin/squidGuard -c /etc/squid/squidGuard.conf -C all”
/usr/bin/killall -HUP squid

Contact us webmaster@squidblacklist.org for clarification on any others issues or questions regarding this topic, or for more information regarding Squidguard and domain blacklists by Squidblacklist.org see our blog for more tutorials and resources on the subject.


Subscribe Today – Paypal or Credit Card Accepted.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


How to setup and use Blacklists with Websense and Squidblacklist.org.

How do I set up a filtering blacklist with Websense & Squidblacklist.org?

Websense Web Filter
Websense Web Filter

Applies To:Websense Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere Version 7.6

Step 1.
Download and decompress blacklists from Squidblacklist.org by singing up for an account here. Fees apply.

Step 2.
The easiest way to block (or “blacklist”) a list of URLs is to create a custom category and recategorize the URLs you want to block into that category.

Step 3.
On the Policy Management > Filter Components > Edit Categories > Add Category page add a category name, description and parent category (optional).

Step 4.
Enter the sites (URLs or IP addresses) that you want to add to this category.You can also edit this list after creating the category.

Step 5.
Select Block as the default filtering Action to apply to this category in all existing category filters.

Enable any desired Advanced Filtering actions (optional). Then click OK to cache your changes. Changes are not implemented until you click Save All.


Subscribe Today – Paypal or Credit Card Accepted.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Mikrotik RouterOS Malicious IP Blacklist – Firewall Import Script – Gratis

Happy New Year! @Mikrotik @RouterOS fans!

logo_new800

We have published a malicious ip blacklist for free! Combined dshield and spamhaus malicious blacklists formatted for Mikrotik RouterOS .rsc import script to firewall address list, updated daily and formatted by our servers for easy import and download into your Mikrotik Router.

It can be downloaded directly here. Or follow the instructions below to setup firewall rules and schedule automatic daily updates on any Mikrotik Router.


To automatically download, update, and apply the combind Dshield, Spamhaus ip blacklists on your Mikrotik Router:

First: Log into Winbox.

Open a terminal and add the following three firewall rules

/ip firewall filter add chain=input src-address-list=drop.dshield action=drop log=drop.dshield
/ip firewall filter add chain=input src-address-list=drop.spamhaus1 action=drop log=drop.spamhaus1
/ip firewall filter add chain=input src-address-list=drop.spamhaus2 action=drop log=drop.spamhaus2


Now we need to schedule the automated update: Go to system scheduler and create a new task.

Update spamhaus dshield routeros blacklists.
/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/drop.malicious.rsc


Now we schedule the import task: Go to system scheduler and create a new task.
 /tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/drop.malicious.rsc
/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/drop.malicious.rsc


Support Our Efforts – Subscribe Today.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Domain Whitelist For Content Filtering Published

Our domain whitelist for content filtering purposes is now available for public access.

 

This whitelist does not contain any torrent or porn sites and should provide a good baseline  whitelist for general audiences.

 

It can be downloaded here.


Subscribe Today – Paypal or Credit Card Accepted.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now vvailable.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.

New DansGuardian Blacklist Update Script – by Brock M. Tice

DansguardianBrock M. Tice has generously taken the time to completely rewrite a new and superior update script for use with our blacklists and DansGuardian, and we have replaced the old script with this one, as there is essentially no use for the old one as this is far superior, and here it is.

 

It is also available for download compressed here.

 

#! /bin/bash
#
# DansGuardian Blacklist Updater Script v0.2 - Squidblacklist.org
# Thoughts or suggestions can be emailed to webmaster@squidblacklist.org
# 0.1->0.2 parameterization by Brock M. Tice
#
# Use this script to download and update blacklists for squid3 proxy
# You may need to edit this for your specific environment.
# you may optionaly wish to crontab this job so it will update at regular intervals
#
# Place this script within /etc/dansguardian/ directory
# Next, chmod +x squid-update.sh .That will make the script executable.
#
# nano /etc/crontab and add the following line
# 01 0 * * * root /etc/dansguardian/squid-update.sh
#
# Available ACLs:
#
# all
# prime
# malicious
# usg
# piracy
# porn
# dating
# ads
# proxies
# gaming
# smedia
# gambling
# cp
# blasphemy
# file
# image
# video
# pharma-rx
# new-tlds
# chanology
# dyn
# freeweb
# racism

# This is the base url for the lists -- do not edit
BASEURL=http://www.squidblacklist.org/downloads/squidblacklists/dg/

# Place the names of the sub-lists you want here, syntax enabled=( list1 list2 list3 ... listN )
enabled=( prime malicious piracy porn dating ads proxies gaming gambling cp pharma-rx chanology racism )

# squidblacklist.org username
USERNAME=userhere
PASSWORD=passhere
LISTBASE=/etc/dansguardian/lists/blacklists/

# enable dansguardian blacklist include line output
DGINCLUDEFILE=/etc/dansguardian/squidblacklist-includes.list
echo > "${DGINCLUDEFILE}"

echo Beginning squidblacklist.org Dansguardian Blacklist Update procedure... ;
cd /etc/dansguardian/ ;
echo Downloading blacklists...

# This loop uses the "enabled" list and the BASEURL to download, decompress, and move the list to the proper place for each specified list
# echos are temporary for testing
for listname in ${enabled[@]}; do
BASENAME="dg-${listname}"
wget --http-user="${USERNAME}" --http-password="${PASSWORD}" --auth-no-challenge "${BASEURL}${BASENAME}.tar.gz"
tar -xvf "${BASENAME}.tar.gz"
if [ ! -d "${LISTBASE}${listname}" ] && [ ! -f "${LISTBASE}${listname}" ]; then
mkdir -p "${LISTBASE}${listname}"
elif [ -f "${LISTBASE}${listname}" ]; then
printf "WARNING: Skipping list %s, %s already exists but is not a directory\n" "${listname}" "${LISTBASE}${listname}" >&2
continue
fi
mv "${BASENAME}.acl" "${LISTBASE}${listname}/domains"

# update include file
echo ".Include<${LISTBASE}${listname}/domains>" >> "${DGINCLUDEFILE}"

rm "${BASENAME}.tar.gz"
done

echo "Reloading Dansguardian Service... "
service dansguardian restart
echo "Done."

echo "If you have not already, add .Include<${DGINCLUDEFILE}> to your /etc/dansguardian/lists/bannedsitelist>"


Subscribe Today – Paypal or Credit Card Accepted.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.