@propel:

I'm new to the Snort configurations, 1st time installing and using it.

In snort, ' A Default Pass List ' was not automatically created.

Do I actually need to create one then?

Usually, in a home network setup, you do not need to create or set any specific Pass List.  The "defaults" that Snort will use if you do not create or set a list are generally sufficient.  It will not block your LAN IP block, or DNS servers, your default gateway nor your WAN IP address.  If you have multiple directly-connected networks (for example, DMZ, multiple LANs, VPNs, etc.), then they will be included as well.  You only need to create a Pass List when you have specific external hosts or networks you don't ever want blocked, or you have some internal hosts that are not on directly-attached networks that you don't want blocked.

Bill

Nevermind, i'm dumb heh. got it working.

It's been a while since I've had to address this issue.  I can resurrect old threads :)

Now the pfSense is on version 2.1.4 and I'm still getting the same outbound blocking when I have HAVP enabled.

Ideas?

@networkinggeek please submit a support ticket and we'll get you straightened out.

@Hollander we are working out some kinks but we intend to be in the main package repo.

@rjcrowder & @Hollander We use a cloud based categorization service that has over 500 million urls categorized. We've made it so you can install the package and be filtering https traffic within 5 mins.

Thanks :)

@golmaal:

Maybe I haven't understood your problem correctly, but this may help:

SquidGuard (and the firewall rules too) works on the basis of first-match. The filtering rules do not cascade.

Let us say you have Group ACL X and Group ACL Y (in that order) and then Common ACL. When someone accesses the Internet, SquidGuard tries to first match it with Group ACL X. If the match is positive (i.e. if the IP or the user belongs to Group ACL X), the Group ACL X will apply to it irrespective of your Common ACL and other Group ACL. Once the match is positive, it won't filter it using any other Group ACL or Common ACL. If the first match fails, it will try to  match it to Group ACL Y; if it matches, Group ACL Y will apply to it. If there are no matches, Common ACL will apply.

So you need something like this:

Group ACL X: Block Porn, Block P2P, Allow All
Group ACL Y: Allow All
Common ACL: Block All

I will try this as soon as I get time to use mess around with it again..

Thanks for the reply.  I will post what I find.

DrClaw

Ok. So, I realized that 40 MB is just a teensey bit small for this kind of thing. I purchased 2 CF-style microdrives with PCMCIA adapters. I'll find a use for the other on someday, but for now, I am using one of the Microdrives (each drive is 2 GB) for the cache.

Nobody?  :-\

I don't believe this had a separate topic in the old forum, here is a summary of the steps.

The cachemgr.cgi page is a symbolic link to the file in the PBI folder.
And external cache manager as your local box in the squid config.

You create a symbolic of "cachemgr.cgi" in the /usr/local/www folder.
Link that to "/usr/pbi/squid-amd64/libexec/squid/cachemgr.cgi" (or i386 when you installed 32-bit pfsense)

Then add your pfsense box ip as a external cache manager in the Proxy server -> local cache ->"External Cache-Managers"
(it works for me)

Then you should be able to browse to http://pfsense-ip/cachemgr.cgi (login info is the same as the pfsense gui)

(or you could need to edit "/usr/pbi/squid-amd64/etc/squid/cachemgr.conf" and change localhost to your pfsense-ip)

With https you may need to add the portnumber https://pfsense-ip:666/cachemgr.cgi (whatever port your pfsense https responds to)

Makes sense, thanks!

No idea.  Everyone goes for squid3-dev because that's the one that supports transparent HTTPS intercept.

I had enabled modem gui access from the firewall and had created an additional interface on WAN as per instructions given on https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewal …l hence there were two interfaces WAN & Modem Access which were having the same mac id, until ver 2.1 OPNVPN never created multiple instances but post 2.1.1-2.1.4 OPNVPN created multiple instances, then I removed the modem access and ( deleted modem access interface) and every thing worked fine.

Well, ok I see what you mean.

Thank you very much !

thank you for your help  ;D

@ZGruk:

You have to configure the proxy settings to point directly to dansguardian (port 8080) instead of port forwarding from 80 to 8080.

Sorry for the thread resurrection. I'm not clear how to do this. Is the setting changed in squid? Or is it a firewall/NAT rule that I have to write. Any chance you (or anyone) can post more detailed steps.

Thanks!

Write 2.1.4 on a new CF card and boot pfsense.
Install the OpenVPN Export package and reboot, works fine with default config.

Restore my backup and reboot, works fine.

Maybe the CF card was bad or something in the update process goes really wrong.

If I understand it correctly, you host your organization's email on Office 365?
If so, do you have autodiscover.<your_domain>.com properly aliased (CANME) to autodiscover.outlook.com?

Reason I am asking is that autodiscover.outlook.com does not respond on port 443 (and should not).

In case it is configured correctly, you also have to be mindful of when to enter which credentials - some will ask you for your proxy credentials and some will ask for application (exchange) credentials.

And another way to test this is to allow your test machine to connect directly - does it work or still prompts?</your_domain>

@Legion:

If you just want to block a short, fixed list of things, can't you use aliases and firewall rules?

Absolutely. The hard part of doing it that way though is that some of the bigger sites can have multiple IP addresses and those addresses can change on a fairly regular basic. You really need something that keeps the list of addresses up to date if you are trying to block one of the large sites…

Sorry for the long come back. Been busy with some works though.

@dig1234:

transparent proxy?

Nope it is not transparent. Both HTTP/HTTPS are filtered & using WPAD for auto proxy.

@Cino:

iphone/ipad, you can use wpad but you have to enable it in the wifi setting for automatic… android, you have to manually set the proxy server in the dhcp/wifi setting... but i dont think https will work right...

This is a pain. May be I should use some sort of captive portal on a different subnet. But then again it break the whole point of having a proxy in place. :(