Polskie Forum Użytkowników Debiana

Kod: Zaznacz cały

#    WELCOME TO SQUID 3.4.8

acl localnet src 10.0.0.0/8    # pierwsza sieć
acl localnet src 192.168.1.0/24    # pierwsza sieć

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 10.0.0.1:3128 intercept

cache_mem 2048 MB
maximum_object_size 4 MB
cache_dir ufs /var/spool/squid3 8192 16 256

cache_swap_low 85
cache_swap_high 95

coredump_dir /var/spool/squid3

refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

dns_nameservers 194.204.159.1 194.204.152.34

Kod: Zaznacz cały

#!/bin/sh
######################################################################
#                                                                    #
#  This file was generated by 'firewall-config.pl' tool.             #
#  You can edit it by hands or use the script configuration.         #
#  Lines begining with '#' are regarded as comments.                 #
#                                                                    #
######################################################################

######################################################################
#                                                                    #
# firewall.config   1.0.6   by Jay                                   #
#                                                                    #
#  Copyright 2002 Jerome Nokin                                       #
#                                                                    #
#This program is free software; you can redistribute it and/or modify#
#it under the terms of the GNU General Public License as published by#
#the Free Software Foundation; either version 2 of the License, or   #
#(at your option) any later version.                                 #
#                                                                    #
#This program is distributed in the hope that it will be useful,     #
#but WITHOUT ANY WARRANTY; without even the implied warranty of      #
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the       #
#GNU General Public License for more details.                        #
#                                                                    #
#You should have received a copy of the GNU General Public License   #
#along with this program; if not, write to the Free Software         #
#Foundation, Inc., 59 Temple Place, Suite 330, Boston,               #
#MA  02111-1307  USA                                                 #
#                                                                    #
######################################################################






#####################################################################
#  INTERFACES                                                       #  
#####################################################################

### LAN Interfaces
# May be more than one (ex: (eth0 eth1))
# Please leave interfaces between () and no ""
# Interfaces must be up for ip dection
INT_IFACE=(eth1 eth2)

### External Interface
# May be more than one (ex: "eth2 eth3")
# Interfaces must be up for ip dection
EXT_IFACE="eth0"





#####################################################################
#           TRAFFIC                                                 #
#####################################################################

### Your Friends
# DHCP_SERVER is the DHCP of your IPS, leave blank if don't know it 
# or if you don't use DHCP.
# (you can find it in your "pump" log)
# DNS is the DNS of your ISP (separated with spaces)
DNS="194.204.159.1 194.204.152.34"
DHCP_SERVER="10.0.0.1"


### Allow connections from the World ..
# Give the list of TCP/UDP ports that you want to allow 
# on your box (and for which interface).
# Syntax: "<iface1>;port1,port2,port3 <iface2>;<port1>,<port2>"
# 
# Example: "ppp0;22,80 ppp1;25,110"
TCP_EXT_IN="eth0;443,22"
UDP_EXT_IN=""


### Allow connections from the LAN ..
# Leave TCP_INT_IN="*" for allow all TCP connections from 
# youur LAN (idem for UDP), if not :  
#
# Give the list of TCP/UDP ports that you want to allow on your 
# box (and for which interface). '*' mean all ports
#
# Syntax: "<iface1>;<port1>,<port2>,<port3> <iface2>;<port1>,<port2>"
#
# Example: "eth0;22,80,8080 eth1;*"
#
# Remeber that allowing ssh connections is always a good idea 
# when you're testing this feature ... ;)
TCP_INT_IN="*"
UDP_INT_IN="*"


### TCP & UDP Forward
# ( separated with spaces, 
#   ex: "eth0>20100:21100>192.168.0.4 eth1>21>192.168.0.6" )
# syntax:
#   iface[,iface]>dport[:dport]>dest-ip[:dport]   
#   
#
# example:
#  - redirect port 21 from eth0 and eth1 to 192.168.0.3
#     "eth0,eth1>21>192.168.0.3"
#
#  - redirect port 2121 from ppp0 to 192.168.0.3 on port 21
#     "ppp0>2121>192.168.0.3:21"
TCP_FORWARD=""
UDP_FORWARD=""





#####################################################################
#  POST / PRE Scripts                                               # 
#####################################################################

### POST START script (run after the 'start')
# Add a list of scripts separated by a ;
# ps: 'restart' = 'stop' + 'start'
POST_START=""

### PRE START script (run before the 'start')
PRE_START=""

### POST STOP script (run after the 'stop')
POST_STOP=""

### PRE STOP script (run before the 'stop')
PRE_STOP=""





#####################################################################
# OPTIONS                                                           #
#####################################################################

### Do you have ADSL/Cable/IDSN/... ?
# Enable this option if you have a dynamic ip.
# Your established connections will not be lost
# during a reconnection .
DYN_IP="0"

### Share Internet over your LAN ?
NAT="1"

### This option is necessary if you want to use IRC on your LAN 
IRC="0"

### Your Linux box is a DHCP server for the LAN ?
USE_DHCP_SERVER="1"

### Transparents Proxy
# Write the proxies ports of your LAN
PROXY_HTTP="8080"
PROXY_FTP=""

### Can we be pinged by the world ?
# remember that the LAN can Always ping the server
PING_FOR_ALL="0"

### Hosts allowed to ping the linux box (only if PING_FOR_ALL = "0")
ALLOWED_PING=""

### Enable TCP control
TCP_CONTROL="1"

### Enable ICMP Control
ICMP_CONTROL="0"


### Give wich ICMP you want to drop (separate with spaces)
# Please enter the real name of the icmp type
# ex: network-unreachable, host-unreachable, ... 
# (see 'iptables -p icmp --help' for the list)
ICMP_TO_DENY=""

### Enable Spoofing control (bad ips)
SPOOFING_CONTROL="1"

### Set firewall in verbose mode ?
alias ECHO="#echo"

### Logging Options
LOGLEVEL="info"
LOG_DROPPED="1"
LOG_MARTIANS="0"
LOG_SYNFLOOD="1"
LOG_PINGFLOOD="1"
LOG_SPOOFED="1"
LOG_ECHO_REPLY_TO_OUTSIDE="1"
LOG_INVALID="1"

### ULOG
# If you don't want to write all dropped packets to your syslog files,
# you can use ULOGD. Give only the 'nlgroup' value of your ulogd.conf.
# Leave blank if you don't want to use ULOGD.
LOG_ULOG_NLGROUP=""





#####################################################################
#       Hosts Blocking List                                         #
#####################################################################
# IP and MAC control                                                #
# Reject spyware, doubleclick and co.                               #
# Give the target of a (or more) ip file                            #
#                                                                   #
# (SEE README & SPYWARES!)                                          #
#####################################################################


####### Directory where input and output files are located
# default /var/lib/firewall-jay/
DENY_DIR="/var/lib/firewall-jay"

####### ULOG
# If you don't want to write all dropped packets to your syslog files,
# you can use ULOGD. Give only the 'nlgroup' value of your ulogd.conf. 
# Leave blank if you don't want to use ULOGD.
DENY_ULOG_NLGROUP=""



####### Incoming traffic 'from' IPs
# Enable (1) / Disable (0)
DENY_IP_IN="1"

# Filename of ip files (in DENY_DIR directory)
# You can enter more than one file, leave a space between them.
DENY_IP_IN_FILES="block-ip-in.user"

# Log activity
DENY_IP_IN_LOG="1"



####### Outgoing traffic 'to' IPs
DENY_IP_OUT="1"

# Filename of ip files (in DENY_DIR directory)
# You can enter more than one file, leave a space between them.
DENY_IP_OUT_FILES="block-ip-out.user"

# Log activity
DENY_IP_OUT_LOG="1"



####### Incoming traffic 'from' MACs
# Enable (1) / Disable (0)
DENY_MAC_IN="0"

# Filename of mac files (in DENY_DIR directory)
# You can enter more than one file, leave a space between them.
DENY_MAC_IN_FILES=""

# Log activity
DENY_MAC_IN_LOG="0"





#####################################################################
#    Type Of Service (TOS)                                          #
# Set better performance to your bandwidth                          #
#####################################################################

# Enable (1) / Disable (0)
TOS="0"

# Give services which require minimum delay like 
# interactives services (ssh , telnet, ...)
TCP_MIN_DELAY=""
UDP_MIN_DELAY=""

# Give services which require maximum throughput (ftp-data, ...)
TCP_MAX_THROUGHPUT=""
UDP_MAX_THROUGHPUT=""





#####################################################################
#  VPN  - VTUND                                                     #
#####################################################################

### Give the devices used for tunneling
# (separated with spaces, ex: "tun0 tun1")
TUN_IFACE=""

### Give the subnet allowed in your LAN
# (separated with spaces, ex:"192.168.2.0/24 192.168.4.0/24")
TUN_SUBNET=""

### Give the ports allowed for TUN_SUBNET
# (separated with spaces)
# "*" give access to all ports
TUN_TCP=""
TUN_UDP=""






#####################################################################
#  VPN  - PPTP                                                      #
#                                                                   #
#  --- Only PPTP server on localhost work for this time ----        #
#                                                                   #
# Your are able to set up a pptp server on this                     #
# localhost, or on a LAN behind this firewall                       #
#####################################################################

# PPTP server on LOCALHOST
##########################
# Enable (1) / Disable (0)
PPTP_LOCALHOST="0"

### Port of Pptp server (default 1723)
PPTP_LOCALHOST_PORT="1723"

### Incoming connections from clients are on which interface(s) ?
PPTP_LOCALHOST_IFACES=""

### Give the subnet of your VPN (ex: 192.168.10.0/24)
PPTP_LOCALHOST_SUBNET_VPN=""

### Which subnets except your new Virtual Network can use 
# the VPN connection (ex: the local subnet of your client)
PPTP_LOCALHOST_SUBNET_ALLOWED=""

### Do you want to allow the access to your LAN from the VPN ?
PPTP_LOCALHOST_ACCESS_LAN="0"

### Do you want to allow the access to your Internet connection from the VPN ?
PPTP_LOCALHOST_ACCESS_INET="0"



# PPTP server on LAN 
# NOT IMPLEMENTED YET
#####################
# Enable (1) / Disable (0)
PPTP_LAN="0"

### Ip of Ipsec server (ex: 192.168.2.2)
PPTP_LAN_IP=""

### Port of Pptp server (default 1723)
PPTP_LAN_PORT="1723"





#####################################################################
#  VPN  - IPSEC                                                     #
#                                                                   #
# Your are able to set up a ipsec server on this localhost,         #
# or on a LAN behind this firewall                                  # 
#####################################################################

# IPSEC server on LOCALHOST
# NOT IMPLEMENTED YET
###########################
# Enable (1) / Disable (0)
IPSEC_LOCALHOST="0"
IPSEC_LOCALHOST_IFACES=""

### Port of Ipsec server (default 500)
IPSEC_LOCALHOST_PORT="500"
IPSEC_LOCALHOST_SUBNET_VPN=""




# IPSEC server on LAN
# NOT IMPLEMENTED YET
######################
# Enable (1) / Disable (0)
IPSEC_LAN="0"

### Ip of Ipsec server (ex: 192.168.2.2)
IPSEC_LAN_IP=""

### Port of Ipsec server (default 500)
IPSEC_LAN_PORT="500"









#####################################################################
# NETFILTER & IPROUTE                                               #
#####################################################################
# If you want to mark packets for playing                           #
# with iproute2, give port/ip to be marked                          #
#                                                                   #
#       MARK_TCP="port1>mark1 port2>mark2 ..."                      #
#  ex.  MARK_TCP="110>1 30000:30100>2"                              #
#                                                                   #
# MARK_IP  -> mark packets comming "from" IP                        #
# MARK_TCP -> mark packets destined "to" tcp port                   #
# MARK_UDP -> mark packets destined "to" udp port                   #
##################################################################### 

# Enable (1) / Disable (0)
MARK="0"
MARK_IP=""
MARK_TCP=""
MARK_UDP=""





#####################################################################
# CUSTOM RULES FILE                                                 #
#####################################################################
# Give the path to the custom rules file                            #
# The file will be started like a script in                         #
# the beginning of the firewall                                     #
#                                                                   #
# Default : /var/lib/firewall-jay/firewall-custom.rules             #
#####################################################################

# 1 (enable) / 0 (disable) 
CUSTOM_RULES="0"

# Path to custom file
CUSTOM_RULES_FILE="/var/lib/firewall-jay/firewall-custom.rules"

Kod: Zaznacz cały

ERROR: No forward-proxy port configured

Kod: Zaznacz cały

http_port 10.0.0.1:3128 intercept

Kod: Zaznacz cały

### Transparents Proxy 
# Write the proxies ports of your
 LAN PROXY_HTTP="8080"
 

Kod: Zaznacz cały

# Network Settings
# 
# the IP that DansGuardian listens on.  If left blank DansGuardian will
# listen on all IPs.  That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to a certain IP. To bind to multiple interfaces,
# specify each IP on an individual filterip line.
filterip =

# the port that DansGuardian listens to.
filterport = 3128

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 8080

Kod: Zaznacz cały

squid -v

Kod: Zaznacz cały

Sep 29 10:25:28 bib-fw e2guardian[2705]: Proxy not responding - still waiting after 14401 seconds
Sep 29 10:35:28 bib-fw e2guardian[2705]: Proxy not responding - still waiting after 15001 seconds
Sep 29 10:45:28 bib-fw e2guardian[2705]: Proxy not responding - still waiting after 15601 seconds
Sep 29 10:55:28 bib-fw e2guardian[2705]: Proxy not responding - still waiting after 16201 seconds
Sep 29 11:05:28 bib-fw e2guardian[2705]: Proxy not responding - still waiting after 16801 seconds

Kod: Zaznacz cały

2015.9.29 11:20:47 - 10.0.0.2 [URL]http://www.onet.pl[/URL]  GET 0 0  1 403 text/html     - - 
2015.9.29 11:20:47 - 10.0.0.2 [URL]http://www.onet.pl/favicon.ico[/URL]  GET 0 0  1 403 text/html     - - 
2015.9.29 11:20:47 - 10.0.0.2 [URL]http://www.onet.pl/favicon.ico[/URL]  GET 0 0  1 403 text/html     - - 
2015.9.29 11:20:50 - 10.0.0.2 [URL]http://www.onet.pl[/URL]  GET 0 0  1 403 text/html     - - 
2015.9.29 11:20:51 - 10.0.0.2 [URL]http://www.onet.pl[/URL]  GET 0 0  1 403 text/html     - - 

Kod: Zaznacz cały

2015/09/29 11:20:51 kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
Host: [url=http://www.onet.pl]www.onet.pl[/URL]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: identity,gzip,deflate
DNT: 1
Cookie: onet_cinfo=1; onet_uoi=v1%3Dradrad%2540poczta.onet.pl%26l%3Dradrad%2540poczta.onet.pl%26n%3D1198973%26s%3D1%26k%3D659548%26p%3D0%26z%3D0; onet_cinf=1; ea_uuid=201509100803152697300747
Via: 1.0 bib-fw (squid/3.4.8)
X-Forwarded-For: 127.0.0.1
Cache-Control: max-age=0
Connection: keep-alive

Kod: Zaznacz cały

1443518447.020      7 127.0.0.1 TCP_MISS/403 349 GET [URL]http://www.onet.pl/[/URL] - HIER_NONE/- text/html
1443518447.020     35 127.0.0.1 TCP_MISS/403 441 GET [URL]http://www.onet.pl/[/URL] - ORIGINAL_DST/127.0.0.1 text/html
1443518447.197      0 127.0.0.1 TCP_MISS/403 349 GET [URL]http://www.onet.pl/favicon.ico[/URL] - HIER_NONE/- text/html
1443518447.197      0 127.0.0.1 TCP_MISS/403 441 GET [URL]http://www.onet.pl/favicon.ico[/URL] - ORIGINAL_DST/127.0.0.1 text/html
1443518447.233      0 127.0.0.1 TCP_MISS/403 349 GET [URL]http://www.onet.pl/favicon.ico[/URL] - HIER_NONE/- text/html
1443518447.233      0 127.0.0.1 TCP_MISS/403 441 GET [URL]http://www.onet.pl/favicon.ico[/URL] - ORIGINAL_DST/127.0.0.1 text/html
1443518450.403      0 127.0.0.1 TCP_MISS/403 349 GET [URL]http://www.onet.pl/[/URL] - HIER_NONE/- text/html
1443518450.403      1 127.0.0.1 TCP_MISS/403 441 GET [URL]http://www.onet.pl/[/URL] - ORIGINAL_DST/127.0.0.1 text/html
1443518451.577      0 127.0.0.1 TCP_MISS/403 349 GET [URL]http://www.onet.pl/[/URL] - HIER_NONE/- text/html
1443518451.577      0 127.0.0.1 TCP_MISS/403 441 GET [URL]http://www.onet.pl/[/URL] - ORIGINAL_DST/127.0.0.1 text/html

Kod: Zaznacz cały

# e2guardian config file for version 3.2.0

# Language dir where languages are stored for internationalisation.
# The HTML template within this dir is only used when reportinglevel
# is set to 3. When used, e2guardian will display the HTML file instead of
# using the perl cgi script.  This option is faster, cleaner
# and easier to customise the access denied page.
# The language file is used no matter what setting however.
#
languagedir = '/etc/e2guardian/languages'

# language to use from languagedir.
language = 'polish'

# Logging Settings
#
# 0 = none  1 = just denied  2 = all text based  3 = all requests
loglevel = 2

# Log Exception Hits
# Log if an exception (user, ip, URL, phrase) is matched and so
# the page gets let through.  Can be useful for diagnosing
# why a site gets through the filter.
# 0 = never log exceptions
# 1 = log exceptions, but do not explicitly mark them as such
# 2 = always log & mark exceptions (default)
logexceptionhits = 2

# Log File Format
# 1 = Dansguardian format (space delimited)
# 2 = CSV-style format
# 3 = Squid Log File Format
# 4 = Tab delimited
# Protex format type 1 – Tab delimited, squid style format with extra fields
# for filter block/result codes, reasons, filter group, and system name –
# used in arrays so that combined logs show originating server.
# Protex format type 2 – Same format as above but system name field is blank
# – used in stand-alone systems.
# 5 = Protex format
# 6 = Protex format with server field blanked

logfileformat = 1

# truncate large items in log lines
# allowable values 10 to 32000
# default 2000
# unlimited not longer allowed - 0 will now set default of 2000 
#maxlogitemlength = 2000

# anonymize logs (blank out usernames & IPs)
#anonymizelogs = off

# Syslog logging
#
# Use syslog for access logging instead of logging to the file
# at the defined or built-in "loglocation"
#logsyslog = off

# Log file location
# 
# Defines the log directory and filename.
#loglocation = '/var/log/e2guardian/access.log'

# Dymamic statistics log file location
#
# Defines the dstats file directory and filename.
# Once every 'dstatinterval' seconds, stats on number of children, in use and free, number of 
# connections and connections per second are written to this
# file. Format is similar to sar.
# Default is not to write stats.
#dstatlocation = '/var/log/e2guardian/dstats.log'

# Interval between stats output
# Default 300 = 5 mins
# Minimum 60 
# Maximum 3600 = 1 hour
#dstatinterval = 300  # = 5 minutes

# Statistics log file location
#
# Defines the stat file directory and filename.
# Only used in conjunction with maxips > 0
# Once every 3 minutes, the current number of IPs in the cache, and the most
# that have been in the cache since the daemon was started, are written to this
# file. IPs persist in the cache for 7 days.
#statlocation = '/var/log/e2guardian/stats'


# Network Settings
# 
# the IP that e2guardian listens on.  If left blank e2guardian will
# listen on all IPs.  That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to a certain IP. To bind to multiple interfaces,
# specify each IP on an individual filterip line.
# If mapportstoips is 'on' you can have the same IP twice so long as 
# it has a different port.
filterip = 10.0.0.1

# the ports that e2guardian listens to.  Specify one line per filterip
# line.  If both mapportstoips and mapauthtoports are set to 'on'
# you can specify different authentication mechanisms per port but
# only if the mechanisms can co-exist (e.g. basic/proxy auth can't)
filterports = 8080


# Map ports to IPs
# If enabled map filterports to filterip - number of filterports must then be same as
# number of filterip
# If disabled will listen on all filterports on all filterips.
# on (default) | off
#mapportstoips= off

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port e2guardian connects to proxy on
proxyport = 3129

# Proxy timeout 
# Set tcp timeout between the Proxy and e2guardian 
# Min 5 - Max 100
proxytimeout = 20

#Proxy failure log interval
# The interval between log status entries when proxy is not responding
# minimum is proxytimeout - maximum 3600 (= 1 hour)
# default = 600  (= 10 mins)
#proxyfailureloginterval = 600

# Proxy header exchange
# Set timeout between the Proxy and e2guardian 
# Min 20 - Max 300
proxyexchange = 20

# Pconn timeout
# how long a persistent connection will wait for other requests
# squid apparently defaults to 1 minute (persistent_request_timeout),
# so wait slightly less than this to avoid duff pconns.
# Min 5 - Max 300
pcontimeout = 55

# Life depends on Proxy 
# if proxytimeout is expired, E2 is killed 
# usefull for load balancer or proxy pac failover
# off (default) | on
# alivewithproxy = on

# Whether to retrieve the original destination IP in transparent proxy
# setups and check it against the domain pulled from the HTTP headers.
#
# Be aware that when visiting sites which use a certain type of round-robin
# DNS for load balancing, DG may mark requests as invalid unless DG gets
# exactly the same answers to its DNS requests as clients.  The chances of
# this happening can be increased if all clients and servers on the same LAN
# make use of a local, caching DNS server instead of using upstream DNS
# directly.
#
# See [URL]http://www.kb.cert.org/vuls/id/435052[/URL]
# on (default) | off
#!! Not compiled !! originalip = on

# Banned image replacement
# Images that are banned due to domain/url/etc reasons including those
# in the adverts blacklists can be replaced by an image.  This will,
# for example, hide images from advert sites and remove broken image
# icons from banned domains.
# on (default) | off
usecustombannedimage = on
custombannedimagefile = '/usr/share/e2guardian/transparent1x1.gif'


#Banned flash replacement
usecustombannedflash = on
custombannedflashfile = '/usr/share/e2guardian/blockedflash.swf'



# Filter groups options
# filtergroups sets the number of filter groups. A filter group is a set of content
# filtering options you can apply to a group of users.  The value must be 1 or more.
# e2guardian will automatically look for e2guardianfN.conf where N is the filter
# group.  To assign users to groups use the filtergroupslist option.  All users default
# to filter group 1.  You must have some sort of authentication to be able to map users
# to a group.  The more filter groups the more copies of the lists will be in RAM so
# use as few as possible.
filtergroups = 1
filtergroupslist = '/etc/e2guardian/lists/filtergroupslist'



# Authentication files location
bannediplist = '/etc/e2guardian/lists/bannediplist'
exceptioniplist = '/etc/e2guardian/lists/exceptioniplist'

# Per-Room definition directory
# A directory containing text files containing the room's name followed by IPs or ranges
# and optionaly site and url lists
# Think of it as bannediplist and/or exceptions on crack
# perroomdirectory = '/etc/e2guardian/lists/rooms/'

# Show weighted phrases found
# If enabled then the phrases found that made up the total which excedes
# the naughtyness limit will be logged and, if the reporting level is
# high enough, reported. on | off
showweightedfound = on

# Weighted phrase mode
# There are 3 possible modes of operation:
# 0 = off = do not use the weighted phrase feature.
# 1 = on, normal = normal weighted phrase operation.
# 2 = on, singular = each weighted phrase found only counts once on a page.
# 
# IMPORTANT: Note that setting this to "0" turns off all features which
# extract phrases from page content, including banned & exception
# phrases (not just weighted), search term filtering, and scanning for
# links to banned URLs.
#
weightedphrasemode = 2



# Positive (clean) result caching for URLs
# Caches good pages so they don't need to be scanned again.
# It also works with AV plugins.
# 0 = off (recommended for ISPs with users with disimilar browsing)
# 1000 = recommended for most users
# 5000 = suggested max upper limit
# If you're using an AV plugin then use at least 5000.
urlcachenumber = 1000
#
# Age before they are stale and should be ignored in seconds
# 0 = never
# 900 = recommended = 15 mins
urlcacheage = 900



# Cache for content (AV) scan results as 'clean'
# By default, to save CPU, files scanned and found to be
# clean are inserted into the clean cache and NOT scanned
# again for a while.  If you don't like this then choose
# to disable it.
# on = cache results; do not re-scan
# off = do not cache; always re-scan
# (on|off) default = on.
scancleancache = on



# Smart, Raw and Meta/Title phrase content filtering options
# Smart is where the multiple spaces and HTML are removed before phrase filtering
# Raw is where the raw HTML including meta tags are phrase filtered
# Meta/Title is where only meta and title tags are phrase filtered (v. quick)
# CPU usage can be effectively halved by using setting 0 or 1 compared to 2
# 0 = raw only
# 1 = smart only
# 2 = both of the above (default)
# 3 = meta/title
phrasefiltermode = 2

# Lower casing options
# When a document is scanned the uppercase letters are converted to lower case
# in order to compare them with the phrases.  However this can break Big5 and
# other 16-bit texts.  If needed preserve the case.  As of version 2.7.0 accented
# characters are supported.
# 0 = force lower case (default)
# 1 = do not change case
# 2 = scan first in lower case, then in original case
preservecase = 0

# Note:
# If phrasefiltermode and preserve case are both 2, this equates to 4 phrase
# filtering passes. If you have a large enough userbase for this to be a
# worry, and need to filter pages in exotic character encodings, it may be
# better to run two instances on separate servers: one with preservecase 1
# (and possibly forcequicksearch 1) and non ASCII/UTF-8 phrase lists, and one
# with preservecase 0 and ASCII/UTF-8 lists.



# Hex decoding options
# When a document is scanned it can optionally convert %XX to chars.
# If you find documents are getting past the phrase filtering due to encoding
# then enable.  However this can break Big5 and other 16-bit texts.
# off = disabled (default)
# on = enabled
hexdecodecontent = off



# Force Quick Search rather than DFA search algorithm
# The current DFA implementation is not totally 16-bit character compatible
# but is used by default as it handles large phrase lists much faster.
# If you wish to use a large number of 16-bit character phrases then
# enable this option.
# off (default) | on (Big5 compatible)
forcequicksearch = off



# Reverse lookups for banned site and URLs.
# If set to on, e2guardian will look up the forward DNS for an IP URL
# address and search for both in the banned site and URL lists.  This would
# prevent a user from simply entering the IP for a banned address.
# It will reduce searching speed somewhat so unless you have a local caching
# DNS server, leave it off and use the Blanket IP Block option in the
# bannedsitelist file instead.
reverseaddresslookups = off



# Reverse lookups for banned and exception IP lists.
# If set to on, e2guardian will look up the forward DNS for the IP
# of the connecting computer.  This means you can put in hostnames in
# the exceptioniplist and bannediplist.
# If a client computer is matched against an IP given in the lists, then the
# IP will be recorded in any log entries; if forward DNS is successful and a
# match occurs against a hostname, the hostname will be logged instead.
# It will reduce searching speed somewhat so unless you have a local DNS server, 
# leave it off.
reverseclientiplookups = off


# Perform reverse lookups on client IPs for successful requests.
# If set to on, e2guardian will look up the forward DNS for the IP
# of the connecting computer, and log host names (where available) rather than
# IPs against requests.
# This is not dependent on reverseclientiplookups being enabled; however, if it
# is, enabling this option does not incur any additional forward DNS requests.
logclienthostnames = on


# Build bannedsitelist and bannedurllist cache files.
# This will compare the date stamp of the list file with the date stamp of
# the cache file and will recreate as needed.
# If a .processed file exists for an item (e.g. domain/URL) list, then that
# will be used instead, if it is up to date (i.e. newer than the unprocessed
# list file).
# This can increase process start speed on slow computers.
# Fast computers do not need this option.
# on | off, default = on
createlistcachefiles = on


# Prefer cached list files
# If enabled, e2guardian will always prefer to load ".processed" versions of
# list files, regardless of their time stamps relative to the original
# unprocessed lists.  This is not generally useful unless you have a specific
# list update process which results in - for example - up-to-date, pre-sorted
# ".processed" list files with dummy unprocessed files.
# on | off, default = off
prefercachedlists = off


# Max content filter size
# Sometimes web servers label binary files as text which can be very
# large which causes a huge drain on memory and cpu resources.
# To counter this, you can limit the size of the document to be
# filtered and get it to just pass it straight through.
# This setting also applies to content regular expression modification.
# The value must not be higher than maxcontentramcachescansize
# The size is in Kibibytes - eg 2048 = 2Mb
# use 0 to set it to maxcontentramcachescansize
maxcontentfiltersize = 256



# Max content ram cache scan size
# This is only used if you use a content scanner plugin such as AV
# This is the max size of file that DG will download and cache
# in RAM.  After this limit is reached it will cache to disk
# This value must be less than or equal to maxcontentfilecachescansize.
# The size is in Kibibytes - eg 10240 = 10Mb
# use 0 to set it to maxcontentfilecachescansize
# This option may be ignored by the configured download manager.
maxcontentramcachescansize = 2000



# Max content file cache scan size
# This is only used if you use a content scanner plugin such as AV
# This is the max size file that DG will download
# so that it can be scanned or virus checked.
# This value must be greater or equal to maxcontentramcachescansize.
# The size is in Kibibytes - eg 10240 = 10Mb
maxcontentfilecachescansize = 20000


# File cache dir
# Where DG will download files to be scanned if too large for the
# RAM cache.
filecachedir = '/tmp'


# Delete file cache after user completes download
# When a file gets save to temp it stays there until it is deleted.
# You can choose to have the file deleted when the user makes a sucessful
# download.  This will mean if they click on the link to download from
# the temp store a second time it will give a 404 error.
# You should configure something to delete old files in temp to stop it filling up.
# on|off (defaults to on)
deletedownloadedtempfiles = on



# Initial Trickle delay
# This is the number of seconds a browser connection is left waiting
# before first being sent *something* to keep it alive.  The
# *something* depends on the download manager chosen.
# Do not choose a value too low or normal web pages will be affected.
# A value between 20 and 110 would be sensible
# This may be ignored by the configured download manager.
initialtrickledelay = 20



# Trickle delay
# This is the number of seconds a browser connection is left waiting
# before being sent more *something* to keep it alive.  The
# *something* depends on the download manager chosen.
# This may be ignored by the configured download manager.
trickledelay = 10



# Download Managers
# These handle downloads of files to be filtered and scanned.
# They differ in the method they deal with large downloads.
# Files usually need to be downloaded 100% before they can be
# filtered and scanned before being sent on to the browser.
# Normally the browser can just wait, but with content scanning,
# for example to AV, the browser may timeout or the user may get
# confused so the download manager has to do some sort of
# 'keep alive'.
#
# There are various methods possible but not all are included.
# The author does not have the time to write them all so I have
# included a plugin systam.  Also, not all methods work with all
# browsers and clients.  Specifically some fancy methods don't
# work with software that downloads updates.  To solve this,
# each plugin can support a regular expression for matching
# the client's user-agent string, and lists of the mime types
# and extensions it should manage.
#
# Note that these are the matching methods provided by the base plugin
# code, and individual plugins may override or add to them.
# See the individual plugin conf files for supported options.
#
# The plugins are matched in the order you specify and the last
# one is forced to match as the default, regardless of user agent
# and other matching mechanisms.
#
downloadmanager = '/etc/e2guardian/downloadmanagers/fancy.conf'
#downloadmanager = '/etc/e2guardian/downloadmanagers/trickle.conf'
downloadmanager = '/etc/e2guardian/downloadmanagers/default.conf'



# Content Scanners (Also known as AV scanners)
# These are plugins that scan the content of all files your browser fetches
# for example to AV scan.  The options are limitless.  Eventually all of
# e2guardian will be plugin based.  You can have more than one content
# scanner. The plugins are run in the order you specify.
# This is one of the few places you can have multiple options of the same name.
#
# Some of the scanner(s) require 3rd party software and libraries eg clamav.
# See the individual plugin conf file for more options (if any).
#
#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'
#!! Not compiled !! contentscanner = '/etc/e2guardian/contentscanners/avastdscan.conf'
#!! Not compiled !! contentscanner = '/etc/e2guardian/contentscanners/kavdscan.conf'
#contentscanner = '/etc/e2guardian/contentscanners/icapscan.conf'
#contentscanner = '/etc/e2guardian/contentscanners/commandlinescan.conf'



# Content scanner timeout
# Some of the content scanners support using a timeout value to stop
# processing (eg AV scanning) the file if it takes too long.
# If supported this will be used.
# The default of 60 seconds is probably reasonable.
contentscannertimeout = 60



# Content scan exceptions
# If 'on' exception sites, urls, users etc will be scanned
# This is probably not desirable behavour as exceptions are
# supposed to be trusted and will increase load.
# Correct use of grey lists are a better idea.
# (on|off) default = off
contentscanexceptions = off



# Auth plugins
# These replace the usernameidmethod* options in previous versions. They
# handle the extraction of client usernames from various sources, such as
# Proxy-Authorisation headers and ident servers, enabling requests to be
# handled according to the settings of the user's filter group.
# Multiple plugins can be specified, and will be used per port in the order
# filterports are listed.
#
# If you do not use multiple filter groups, you need not specify this option.
#
#authplugin = '/etc/e2guardian/authplugins/proxy-basic.conf'
#authplugin = '/etc/e2guardian/authplugins/proxy-digest.conf'
#authplugin = '/etc/e2guardian/authplugins/proxy-ntlm.conf'
#authplugin = '/etc/e2guardian/authplugins/ident.conf'
#authplugin = '/etc/e2guardian/authplugins/ip.conf'

# Map auth to ports
# If enabled map auth plugins to ips/ports - number of authplugins must then be same as
# number of ports
# If disabled scan authplugins on all ports - number of authplugins can then be different
#  to number of ports
# on (default) | off
#mapauthtoports = off


# Re-check replaced URLs
# As a matter of course, URLs undergo regular expression search/replace (urlregexplist)
# *after* checking the exception site/URL/regexpURL lists, but *before* checking against
# the banned site/URL lists, allowing certain requests that would be matched against the
# latter in their original state to effectively be converted into grey requests.
# With this option enabled, the exception site/URL/regexpURL lists are also re-checked
# after replacement, making it possible for URL replacement to trigger exceptions based
# on them.
# Defaults to off.
recheckreplacedurls = off



# Misc settings

# if on it adds an X-Forwarded-For: <clientip> to the HTTP request
# header.  This may help solve some problem sites that need to know the
# source ip. on | off
forwardedfor = off


# if on it uses the X-Forwarded-For: <clientip> to determine the client
# IP. This is for when you have squid between the clients and e2guardian.
# Warning - headers are easily spoofed. on | off
usexforwardedfor = off

# as mentioned above, the headers can be easily spoofed in order to fake the
# request origin by setting the X-Forwarded-For header. If you have the
# "usexforwardedfor" option enabled, you may want to specify the IPs from which
# this kind of header is allowed, such as another upstream proxy server for
# instance If you want authorize multiple IPs, specify each one on an individual
# xforwardedforfilterip line.
# xforwardedforfilterip = 


# if on it logs some debug info regarding fork()ing and accept()ing which
# can usually be ignored.  These are logged by syslog.  It is safe to leave
# it on or off
logconnectionhandlingerrors = on



# Fork pool options

# If on, this causes DG to write to the log file whenever child processes are
# created or destroyed (other than by crashes). This information can help in
# understanding and tuning the following parameters, but is not generally
# useful in production.
logchildprocesshandling = off

# sets the maximum number of processes to spawn to handle the incoming
# connections.  Max value usually 250 depending on OS.
# On large sites you might want to try 380.
maxchildren = 180


# sets the minimum number of processes to spawn to handle the incoming connections.
# On large sites you might want to try 64.
minchildren = 20


# sets the minimum number of processes to be kept ready to handle connections.
# On large sites you might want to try 16.
minsparechildren = 16


# sets the minimum number of processes to spawn when it runs out
# On large sites you might want to try 20.
preforkchildren = 10


# sets the maximum number of processes to have doing nothing.
# When this many are spare it will cull some of them.
# On large sites you might want to try 64.
maxsparechildren = 32


# sets the maximum age of a child process before it croaks it.
# This is the number of connections they handle before exiting.
# On large sites you might want to try 10000.
maxagechildren = 500


# sets the number of child process to kill/fork at each 5 sec interval.
# during at gentle restart
# defaults to preforkchildren
# gentlechunk=10


# Sets the maximum number client IP addresses allowed to connect at once.
# Use this to set a hard limit on the number of users allowed to concurrently
# browse the web. Set to 0 for no limit, and to disable the IP cache process.
maxips = 0


# Process options
# (Change these only if you really know what you are doing).
# These options allow you to run multiple instances of e2guardian on a single machine.
# Remember to edit the log file path above also if that is your intention.

# IPC filename
# 
# Defines IPC server directory and filename used to communicate with the log process.
ipcfilename = '/tmp/.e2guardianipc'

# URL list IPC filename
# 
# Defines URL list IPC server directory and filename used to communicate with the URL
# cache process.
urlipcfilename = '/tmp/.e2guardianurlipc'

# IP list IPC filename
#
# Defines IP list IPC server directory and filename, for communicating with the client
# IP cache process.
ipipcfilename = '/tmp/.e2guardianipipc'

# PID filename
# 
# Defines process id directory and filename.
#pidfilename = '/var/run/e2guardian.pid'

# Disable daemoning
# If enabled the process will not fork into the background.
# It is not usually advantageous to do this.
# on|off (defaults to off)
nodaemon = off

# Disable logging process
# on|off (defaults to off)
nologger = off

# Enable logging of "ADs" category blocks
# on|off (defaults to off)
logadblocks = off

# Enable logging of client User-Agent
# Some browsers will cause a *lot* of extra information on each line!
# on|off (defaults to off)
loguseragent = off

# Daemon runas user and group
# This is the user that e2guardian runs as.  Normally the user/group nobody.
# Uncomment to use.  Defaults to the user set at compile time.
# Temp files created during virus scanning are given owner and group read
# permissions; to use content scanners based on external processes, such as
# clamdscan, the two processes must run with either the same group or user ID.
#daemonuser = 'e2guardian'
#daemongroup = 'e2guardian'

# Soft restart
# When on this disables the forced killing off all processes in the process group.
# This is not to be confused with the -g run time option - they are not related.
# on|off (defaults to off)
softrestart = off

# Mail program
# Path (sendmail-compatible) email program, with options.
# Not used if usesmtp is disabled (filtergroup specific).
mailer = '/usr/sbin/sendmail -t'

#SSL certificate checking path
#Path to CA certificates used to validate the certificates of https sites.
# if left blank openssl default ca certificate bundle will be used
#Leave as default unless you want to load non-default cert bundle
#sslcertificatepath = ''

#SSL man in the middle
#CA certificate path
#Path to the CA certificate to use as a signing certificate for 
#generated certificates.
# default is blank - required if ssl_mitm is enabled.
#cacertificatepath = '/home/stephen/dginstall/ca.pem'

#CA private key path
#path to the private key that matches the public key in the CA certificate.
# default is blank - required if ssl_mitm is enabled.
#caprivatekeypath = '/home/stephen/dginstall/ca.key'

#Cert private key path
#The public / private key pair used by all generated certificates
# default is blank - required if ssl_mitm is enabled.
#certprivatekeypath = '/home/stephen/dginstall/cert.key'

#Generated cert path
#The location where generated certificates will be saved for future use.
#(must be writable by the dg user)
# default is blank - required if ssl_mitm is enabled.
#generatedcertpath = '/home/stephen/dginstall/generatedcerts/'

#Warning: if you change the cert start/end time from default on a running 
#         system you will need to clear the generated certificate 
#         store and also may get problems on running client browsers

#Generated cert start time (in unix time) - optional
# defaults to 1417872951 = 6th Dec 2014
# generatedcertstart = 1417872951 

#Generated cert end time (in unix time) - optional
# defaults to generatedcertstart + 10 years
#genratedcertend =
# generatedcertstart =

# monitor helper path 
# If defined this script/binary will be called with start or stop appended as follows:-
# 
# At start after e2guardian has started monitorstart children with ' start' appended
# When e2guardian is stopping with ' stop' appended
# If cache stops responding with ' stop' appended
# When cache resumes with ' start' appended
# monitorhelper = '/usr/local/bin/mymonitor'

# monitor flag prefix path 
# If defined path will be used to generate flag files as follows:-
# 
# At start after e2guardian has started monitorstart children with 'running' appended
# When e2guardian is stopping with 'paused' appended
# If cache stops responding with 'paused' appended
# When cache resumes with 'running' appended

# monitorstart - defaults to minchildren
# valid values between 1 and minchildren
# monitorstart = 0

Kod: Zaznacz cały

tcp6   0   0   [::]3129   LISTEN   root   (squid-1)
tcp6   0   0   [::]icpv2   LISTEN   root   (squid-1)
udp    0   0   *:39557               proxy   (squid-1)
udp6    0   0   *:39105               proxy   (squid-1)