PfSense Web Filter – Filter HTTP(S) with SquidGuardPublished by on January 23, 2018 January 23, 2018Last Updated on 5 months agoAs the system administrator of a school, you are constantly faced with the question of how far you should filter content from the Internet. This question must be answered wherever children and young people have access to the Internet, whether in schools, clubs, libraries, at home or any other public institution. Opinions on this subject are very diverse. There is no 100% protection. It is much more important to teach children and young people how to use the Internet responsibly. This is a very big challenge and takes time. Parents and educators are faced with this task and often do not know how best to approach it.

• Pfsense Blocking Some Websites
• Pfsense Block Youtube

Especially in schools, where you can’t always keep an eye on the screens, a web filter is a great help. In some countries, a web filter for schools is even required by law. But sometimes it’s just about blocking certain websites, such as Facebook, Netflix & Co. Therefore, in this tutorial I would like to show you how to set up a pfSense web filter.No time to read this article now?Preliminary Remarksis a widely used open source firewall that. (If you need help to install, ).

With the help of Squid (a proxy server) and SquidGuard (the actual web filter) we want to filter HTTP and HTTPS connections. For this tutorial we first need an active pfSense installation. The firewall.

How it worksFiltering HTTP connections is very easy and quick to set up. Since these connections are unencrypted, it is possible to examine them well and therefore block them completely or partially. Nowadays, more and more websites (even those you would like to block) use HTTPS, i. An encrypted connection between the user’s browser and the web server. Thanks to Let’s Encrypt, anyone can now set up a free certificate for their website. This is a good thing in itself, because it increases security and makes many attacks impossible or more difficult. However, it also makes filtering for unwanted content more difficult.This “problem” can be solved in two ways: 1.

Man-in-the-middle attackOne way is a conscious man-in-the-middle attack. The proxy server decrypts the HTTPS connection and rebuilds it. This allows them to view the connection and filter it accordingly. This concept is used by most web filter solution providers. The problem here is that this profound interference with the HTTPS connection means that the actual security provided by HTTPS is no longer guaranteed. A user can hardly recognize the difference if the certificate of the proxy server is trusted.

But this security is deceptive. Even if this is the only way to speak of true content filtering, this solution is dangerous, very risky (implementation is not trival) and, depending on the country, incompatible with the prevailing laws (keyword data protection and privacy).

Therefore, this route is not recommended for safety and moral reasons. URL filter via SNIAnother possibility is filtering via SNI. Before the certificate is queried between browser and web server and thus an encrypted connection is established, the browser sends the domain name (FQDN) that it wants to query. This part is not yet encrypted and can therefore be read by a (transparent) proxy and used for filtering. The following figure illustrates the TLS handshake.You can easily see that the SNI is sent before the key exchange and the actual secure connection. We take advantage of this principle and in addition to the web filter for HTTP connections, we can also set up a URL filter for HTTPS connections without destroying HTTPS by a man-in-the-middle attack. Safe-Search for search engines Create firewall rules for DNSSince we can’t look into an HTTPS connection, unwanted images and videos may appear in a Google search, for example.

Google and other search engines therefore offer a secure mode (Safe-Search) because we want to force it.First we have to activate the DNS resolver in pfSense (under Services → DNS Resolver) and then save and apply the changes.In order for the computers in the network to use the DNS server of the firewall, we need a rule that forwards all other DNS requests to the firewall. To do this, we create a new rule under Firewall → NAT in the Port Forward tab with a click on one of the two add buttons. We enter the following:. Interface: LAN. Protocol: TCP/UDP.

Destination: Any. Destination Port Range: DNS (53).

Redirect Traget IP: 127.0.0.1. Redirect Target Port: DNS (53). Description: Can be freely selectedNow we have to make sure that our newly created firewall rule is in the right place.

It must be above the default “ Default allow LAN to any rule“! To do this, we open the firewall rules under Firewall → Rules and move the rule up. Then save with Save and Apply to apply the changes.Host Overrides for Bing and YoutubeNext, we’ll create some DNS entries to make sure that their safe search is used for both Google and Bing. To do this, we open the DNS Resolver again under Services → DNS Resolver and add the following entries in the section Host Overrides below.Bing:. Host: www. Domain: bing. Com.

IP Address: 204.79.197.220. Description: Bing. Then save with SaveThen the entry for Youtube:. Host: www. Domain: youtube. Com. IP Address: 216.239.38.120.

Description: Youtube. Save again with SaveNow apply the changes again with Apply.

Host Overrides for GoogleGoogle uses a lot of different domains and it would take quite a long time to enter them manually. That’s why we choose a different way for Google. First, we need to log in to pfSense via SSH (or connect a screen + keyboard if the pfSense is installed on a computer with a graphics card).

SSH must first be enabled in the web interface and System → Advanced in the Secure Shell section.Now we can log in with the following command via SSH (adjust IP address!). Include: / var / unbound / google. ConfOur search engines are configured.

Pfsense Blocking Some Websites

The next step is to set up the content filter for HTTP and the URL filter for HTTPS. Squid Proxy and SquidGuard InstallationTo enable pfSense to filter the URLs, we need a proxy server through which all requests from our network are routed. For this we use Squid. As the name suggests, SquidGuard is the actual filter.

Under System → Package Manager in the Available Packages tab we install Squid and SquidGuard.Setting Up Transparent Proxy for HTTPUnder Services → Squid Proxy Server we now set up the transparent proxy for HTTP. A transparent proxy has the advantage that we do not have to configure any settings on the individual computers in our network. In the General tab we activate the following items:. Enable Squid Proxy ✔. Proxy Interface (s): LAN. Allow users on interface ✔.

Transparent HTTP Proxy ✔. Transparent Proxy Interface (s): LANAfter saving with Save we determine in the tab Local Cache how much disk space should be used for the cache (here 500MB):The settings have to be saved again with Save. The transparent proxy for HTTP connections is now set up.

Configuring SquidGuardSquidGuard is the component responsible for filtering the content. Each request is examined by SquidGuard and then decided whether or not to block the request or the website. For this we use a blacklist, which we configure later.

Before that, we’ll define some general settings under Services → SquidGuard Proxy Filter. Enable ✔. (not shown in the screenshot). Enable Log ✔.

Enable log rotation ✔. Enable Blacklist ✔. Blacklist URL: we save everything again with Save.With the SquidGuard we have to keep in mind that changes in the configuration only become active after we have clicked Save and Apply (above in the General Settings tab)! Setting up blacklists and whitelistsNow that we are done with the basic settings, the blacklists and whitelists are missing.

The URL for the blacklist is already given. Now we have to download them in the tab “ Blacklist“.In order to make sure that our filter works, we are now defining several target categories. To do so, open the tab “ Target Categories” and click on Add. We create a whitelist of all domain names we explicitly allow.

That would be e. All Google domains, because we will block all other search engines in order to prevent the user from bypassing the Safe-Search feature set up above.We will enter the following:. Name: Whitelist.

Domain List. De google - directory. Ai googlepirate. Com.

Description: Whitelist. Save with Save.The last step for the time being is to establish some rules. We do this in the Common ACL tab. Then click on the “ +” sign in “ Target Rules List” to open a list of the different rule sets. There are now different categories and our whitelist appears here.

We now make the following settings:. Whitelist: access whitelist. Default access all: access allowThe other categories can be set as required. Here are some examples:. Block advertising:blkBLadv access deny. Block pornography:blkBLporn access deny. etc.To prevent a user from bypassing our URL filter by entering the IP address of a page, we still enable Do not allow IP addresses in URL.

If this setting causes problems, you should deactivate it again.Then we save with Save, switch to the General Settings tab and press Apply again to apply our changes. Test SetupEverything is set up for HTTP connections and we can test the setup. Nothing else needs to be set up on a computer in the LAN. The filter should already work. If we visit a page that appears in one of our blacklists, this page will appear:Transparent proxy for HTTPS connectionsUp to now, the transparent proxy is only active for HTTP, i.

Unencrypted requests. At the beginning of this article I already pointed out the difficulties in filtering encrypted, i. HTTPS connections.

In our case, we will activate a transparent proxy for HTTPS, which allows us to enable a URL filter for all requests on port 443 (HTTPS), but with the disadvantage that we cannot (and don’t want to!) analyze the content and we can’t do a nice error page. Instead, the browser will display a certificate error message. But more on this soon.First we activate the transparent proxy for HTTPS. To do this, open the proxy settings under Services → Squid Proxy Server and select the following settings in the SSL Man in the Middle Filtering section:. HTTPS / SSL Interception ✔. SSL/MITM Method: Splice All.

Pfsense Block Youtube

SSL Intercept Interfaces: LAN. CA: Select a Certificate Authority Certificate. Maybe we’ll have to create one first. (under System → Cert. Manager). Save all with Save.Now everything is set up and we can also test HTTPS connections. As already written, this time we don’t get an informative error message like for HTTP connections, but a warning from the browser:Even though this error message is not very meaningful, we have achieved our real goal of blocking unwanted pages.

ConclusionWe have now set up a system that filters all network traffic in our LAN (or WLAN). This blocks pages that have been defined using the blacklists.The pros and cons of such locks have different positions.

In any case, it is a problem that cannot and should not be solved 100% technically, since it is rather a question of educating (young) people to be able to deal responsibly with the medium “Internet”. It is certainly not the right way to achieve this goal by means of such filtering alone.

The fact that children and young people are “accustomed” to censorship and filtering is also viewed critically by some.On the other hand, it is especially helpful for schools, libraries or at home if you can limit the amount of non-appropiate content. Some countries also prescribe such a filter by law!(Source: ). Adam May 14, 2018 at 9:28 pmMuch like Seth, all https traffic appears to be blocked in this configuration for me as well. I have my sites whitelisted but to no avail in https.

It works fine with http though. Any ideas?With that being said, My state’s laws says schools MUST filter traffic in schools. Furthermore, the school owns all traffic in the network as it is guided by a legal AUP. I am not sure how other states do this but it is legal to do the conscious MIM attack for our purposes. I do side where conscious MIM attacks could be a security breach, keeping kids safe is also an important role as well. My school already has a commercial system that does this in fact.

While I am not trying to open a debate on this at all, I am merely trying to lockdown my students internet during testing times to curb the possibility of cheating. We use Cisco Netacad for this which is on amazon AWS. There are many URL’s and writing a simple router ACL would be a pain due to the complexity of our setup.

Any input/guides on the Conscious MIM setup?