URL Filtering and Blocking Crap with Vyatta

This week, I had a client who was having issues with his router. With years of use, he began to experience a degradation in its performance. Although the office is small with 6 computers, his only requirements were a router that can block roughly 30 domains, and manage to perform well.

I arrived at his office, and found he purchased a shiny new Cisco Linksys WRT320N router for $100 from Futureshop. It looks sleek and sexy. I disconnected his D-Link DIR-615, and proceeded to setup the new one. After getting through the setup, enabling the wireless, and specifying which systems would obtain which IP address, I found that the router can only block 4 domains.

It’s situations like these where you realize there is a good solution for all of this, and it happens to start with Vyatta. I brought over a computer with a second network card installed. Ran through the main setup of the router. Now, for domain or URL filtering, my understanding is that there is no limit with Vyatta.

You run the commands below on the internal interface that connects the switch to the router.

set service webproxy listen-address 10.10.0.1
set service webproxy url-filtering squidguard local-block twitter.com
set service webproxy url-filtering squidguard local-block facebook.com
set service webproxy url-filtering squidguard local-block youtube.com
commit

There is also some extra cool features if you are looking for an added level of security. SquidGuard allows you to use blacklists with Squid, and the great thing about it is that its totally free. One of those cool features is the ability of blocking adware and spyware, and not having to figure out what to block. You can use the commands below to use the lists managed by Squid.

set service webproxy listen-address 10.10.0.1
set service webproxy url-filtering squidguard block-category ads
set service webproxy url-filtering squidguard block-category gambling
set service webproxy url-filtering squidguard block-category malware
set service webproxy url-filtering squidguard block-category phishing
set service webproxy url-filtering squidguard block-category porn
set service webproxy url-filtering squidguard block-category spyware
set service webproxy url-filtering squidguard block-category warez
commit

And with a few lines of commands, you can protect your network better.

14 Comments

  1. lorenze

    hi im just new to vyatta and i was trying to configure the blocking by category using squid. My problem is that when i try to commit after setting the following:
    set service webproxy listen-address x.x.x.x
    set service webproxy url-filtering squidguard block-category ads

    I got this error :warning no blocklist installed
    unknown block-category [ads] for policy default [default]

    how ca i installed blocklist and what should i do to clear this error.

    Thank you so much for any response it would surely help a lot.

    Thanks,

    Regards,

    Lorenze

  2. Jason

    Hello lorenze,
    You have to first install the blocklist before oyou can go ahead and setup the content filtering….the command is…update webproxy blacklists
    you have to first run that command so that vyatta can install and update the blocklist before. Let me know how it goes.

  3. Josue

    Late reply to this post, but I found it wondering around and I feel the need to be polite…

    you should run “update webproxy blacklists” so it can download the blacklists that you need, you do this at the first level of the CLI before entering config mode (the one that displays the “$” at the end, for example user@router:~$).

    You probably already figured this out but this is for other people that see this some other time :)

  4. GVL

    @ lorenze

    You need to update your squiguard blockslists:

    update webproxy blocklists

  5. alchikha

    pleas i use vyatta web filtring
    it seem to be good but
    i need to let some bodies have full acces and other one limted access
    i have vyatta vc 5. edition
    i found on the net that ther is cmd like sous-group that help to my cas but it dont work it sem that i need vyatta plus edition
    is that right
    and ther is no way to install that option on my vyatta syst vc ??

  6. wlodek_789

    And how to block https? – https://facebook.com

  7. Sam

    I know this thread is a little dated, but I have a custom IP list to block (that I have on a web server). Is there a way I can incorporate that into what you have above also?

    Thank you for the tip on squid!
    Sam

  8. Benjamin E. Nichols

    Squidblacklist.org is the worlds leading publisher of native acl blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as many other filtering platforms. Including SquidGuard, DansGuardian, and ufDBGuard, as well as pfSense and more. Our adult blacklist contains over 1.2 million domains, we have unique blacklists that you will not find any other place.

    There is room for better blacklists, we intend to fill that gap.

    It would be our pleasure to serve you.

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

  9. Marlon

    Hello

    Thank you so much for this great tut, I am wondering to know if exist a black-list to clock everything, I would like to block all the internet access and let the user use only my domain and subdomains.

    Thank you so much.

  10. CCR

    when i try to update webproxy blacklist
    after completion of download, it shows Bad file descriptor message. what do i do to update the file list noe?

  11. Roy

    Hi, It seems that I can’t get to work the “set service webproxy url-filtering squidguard local-block facebook.com” and “set service webproxy url-filtering squidguard local-block twitter.com”. The sites can still be accessed by the computers in my network. Does this have to do with the HTTPS accessed on the said sites?

    Hope somebody can help me on this.

    Thanks.

  12. Roy

    Btw, I tried the default-action block, and all websites were block except for facebook.com and twitter.com. I’m not sure how this is happening.

    I don’t want to reformat and reinstall vyatta but if worst comes to worst I might do just that and re-configure.

  13. Benjamin E. Nichols

    Squidblacklist.org is the worlds leading publisher of native acl blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as many other filtering platforms. Including Squid Guard, DansGuardian, and ufDBGuard, as well as pfSense and more. Our adult blacklist contains over 1.1 million domains, we have unique blacklists
    that you will not find any other place.

    There is room for better blacklists, we intend to fill that gap.

    It would be our pleasure to serve you.

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

  14. Anuja

    Hi Guys,

    I have configured web proxy in virtual box. I’m getting error like webproxy may not work properly without a name server.

    Can anyone please tell me what is this?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>