Friday, September 30, 2016

Update on using squidGuard Webproxy for Ubiquity

For those who have read my previous blog post about getting my feet wet with the webproxy package installed on our EdgeOS based routers I have some updated notes to help out with a few things I didn't find well documented and readily available on the internet.

1) how to un-disable the webproxy url-filtering.
   If you needed to disable the webproxy for one reason or another it's not that difficult. The command to do so is built into the auto-complete command set:
  configure
 set service webproxy url-filtering squidguard disable
 commit

What isn't documented very well in my searching was how to UN-disable it after you've made your changes and are ready to get the webproxy back online. It took me some thinking on my own, as I'll often do when stuck on a problem, but my logic was sound and I had nothing to lose.
  configure
 delete service webproxy url-filtering squidguard disable
 commit

Success! The service was back online and I didn't have to rebuild my configuration.

2) how to save your /var/log/ mount point after turning on DPI.
After enabling DPI, outlined in my other post, a lot of logging is turned on. Logging is good if you're wanting to do some checking on your traffic but this gets excessive when you have a busy router. Your /var/log/messages logs will overrun the mount point quickly of some housekeeping isn't done to curb this. Via the GUI you'll want to go to your rulesets and unchecked logging for all of your accept rules. If you are special and you have a server to accept all of your logs for you need you not worry.

3) Making a separate proxy profile for separate subnets
Guest Wi-Fi subnets rarely need the same allowances as an internal network may so if a guest complains about not being able to get to break.com is not a big deal. However, maybe someone internal needs it. What do you do?

You could make exceptions for the entire router for individual sites but over time the list could grow and then you'd be opening it up for everyone. Lucky for you source-groups are able to handle the task. With a source group you can leave the default allows and blocks on for all but make changes by exception source-groups.

set service webproxy url-filtering squidguard source-group guests address 192.168.2.2-192.168.2.254
set service webproxy url-filtering squidguard rule 10 source-group guests
set service webproxy url-filtering squidguard rule 10 allow-category adult

Once this has been committed and saved you now have allowed the adult category, which is what category break.com belongs to, sites for those IPs in the internal network. This same method can be utilized for other exceptions and restrictions.

If you have questions or comments please leave them below.

Ubiquity EdgeOS Deep Packet Inspection engine (DPI)

Recently I wrote a blog about how to use the built in package squidGuard to block content passing through EdgeOS routers. There is a more efficient way to block some categories though, DPI.

DPI is hardware offloaded and does not drag your CPU down as much on a busy router. The number of categories you can block are limited though:

Business                                  TopSites-Games
Bypass-Proxies-and-Tunnels  TopSites-Health
File-Transfer                           TopSites-Home
Games                                     TopSites-KidsnTeens
Instant-messaging                   TopSites-News
Mail-and-Collaboration          TopSites-Recreation
P2P                                         TopSites-Reference
Remote-Access-Terminals     TopSites-Regional
Security-Update                     TopSites-Science
Social-Network                     TopSites-Shopping
Stock-Market                        TopSites-Society
Streaming-Media                  TopSites-Sports
TopSites-Adult                      Voice-over-IP
TopSites-Arts                        Web
TopSites-Business                 Web-IM
TopSites-Computers

Most notable of the categories I like to use are the Bypass-Proxies-and-Tunnels and P2P. With making a separate firewall rule set for these two you can keep casual users from hopping on your wifi and downloading illegally data you would be left holding the bag for. By Turing on the DPI feature you can also see what protocols and categories are most used on your network by your top talkers.

With the below lines of configuration I can say it successfully has caught and stopped users from downloading torrents on a particular network I manage.

set system traffic-analysis dpi enable
set system traffic-analysis export enable
set firewall name DROP_SITES default-action accept
set firewall name DROP_SITES description "Drop Junk"
set firewall name DROP_SITES enable-default-log
set firewall name DROP_SITES rule 10 action drop
set firewall name DROP_SITES rule 10 application category P2P
set firewall name DROP_SITES rule 10 log enable
set firewall name DROP_SITES rule 10 description ‘P2P’
set firewall name DROP_SITES rule 15 action drop
set firewall name DROP_SITES rule 15 application category Bypass-Proxies-and-Tunnels
set firewall name DROP_SITES rule 15 log enable
set firewall name DROP_SITES rule 15 description Bypass-Proxies-and-Tunnels
set interfaces ethernet eth0 firewall in name DROP_SITES

After setting it all up you'll be able to see the rules stats counting up as traffic is passed. Logged drops are put into the default /var/log/messages log. As it is put into the general log I strongly suggest you turn compression on for  logrotated. Otherwise/var/log will fill up quickly lest you send all of your logs to a remote server.