PfSense Ad Blocking
-
Hey Folks,
In the past I had been able to use dnsmasq (not within pfSense) to block ad servers, however the dnsmasq options offered by pfSense seemed limited to me. I like to run Homer Webserver on my Windows boxes and resolve ad servers to 127.0.0.1 (so ads become essentially invisible). While pfSense let me add individual hosts, it didn't seem to allow me to create wildcard entries (unless I am really misinterpreting the option to specify an authoritative dns server).
A good example is IntelliTXT… I can't stand to look at their ads, and they use a vast array of hostnames which are all in the format "somename.intellitxt.com". I did not see a way to use the standard pfSense configs to do this, so I fiddled around and came up with a solution that I explain in detail here on my silly little rant website. I also made it so that I only have to update a single instance of my "bad sites" list and all of my routers will update themselves automagically.
I am hoping that either (a) someone else will find this useful or (b) some folks may have some input on any easier or safer ways to do this. I am particularly interested in finding a more graceful way to restart dnsmasq from within my script, or finding out why there is no path when the script is called by cron.
Huzzah,
Snork. -
Why not use Squid and SquidGuard to achieve the same?
-
Hey dreamslacker,
Since I have no interest in caching it would seem that installing Squid/SquidGuard might be a bit excessive for me, however if I chose to set them up, do you by any chance know if they natively support any kind of configuration sharing between servers? I'd like to be able to blacklist a server in one place and have all of my Squid/Squidguard instances know about it (not necessarily instantly). I had a quick look at the Squid related pages and didn't see anything about it. Unfortunately the search feature at squid-cache.org doesn't seem to be working for me in either SM2 or IE8. :(
The other downfall of going the Squid/SquidGuard route for me might be that it would require the extra configuration of creating a "wpad" or "pac" and setting up proxy auto discovery on my networks. The little workaround I have shown works on all ports with zero client config.
HF,
Snork. -
Would it not be better to do this in DNS?
I use www.opendns.com to set up what people are allowed to see and what they are not allowed to go to. They provide the ability to block categories and also to set it up for multiple networks.
It is a great service and much more reliable then your ISP's DNS and much simpler then using Squid / SquidGuard.
Hope this helps.
-
You can use Squid as a transparent proxy. i.e. No configuration needed on the client side.
Also, you do not need to set Squid to cache, simply use it to hijack HTTP type traffic where SquidGuard can allow you to set rules. In your instance, this would be to block the domain(s) where the Ads servers reside on.
See this link on how SquidGuard is configured (albeit on Linux) to use Adblock Plus' Easylist to update Ad servers domains.
http://notes.ozmonet.com/index.php?title=Network-Wide_AdblockIIRC, there's a CRON package for pfsense where you can simply use it to make an scheduled CRON job to update the easylist into Squidguard. Hence, there is no real need to replicate across all your pfsense boxes, just let them update on a schedule individually.
Edit: There is a tutorial on getting this done on pfsense. See: http://forum.pfsense.org/index.php?topic=19756.0
-
Hey guys,
@hamiltonrenata: Ultimately my little workaround is a DNS based solution just like OpenDNS (which I have tried but they do not support generating your own list of servers to block). Hmmm, now that I think of it, they maybe supported such a list but only allowed a limited number of entries. The OpenDNS concept is exactly what I want to do but just not flexible enough for me. :( As you mentioned, either one is certainly more simple than a Squid/Squidguard setup but unable to regex entire URLs.
@dreamslacker: The big advantage to the setup described in that tutorial is that it can be used to block based on a regex anywhere in the URL while mine can only block based on servername. I think for my purposes it would still be easier to continue blocking by servername and use my current adblock custom list. Though having looked at the tutorial I see that I can run separate commands in cron by separating them with a semicolon ['scuse my noobishness], that may simplify my setup signifcantly (will have to look into that)! :)
Thanks!
Snork. -
I use ipblocklist to block ads and unwanted advertising. I can control which ad sites are blocked and which are not as well as being able to use public lists that block known ad sites.
The easy part is there is no client side configuration required since pfsense handles the traffic at the fw level.Edit: windows 7 doesn't suck :)