Help in Blocking Websites

lilinneno

Hi Marcelloc,

In advance I appreciate your patience. I'm very very very new to everything to do with network administration - volunteering for a non profit in an international and rural setting and they lost the admin. I'm the next best thing.  I'm trying to figure out:

How do you block certain sites during the work day and allow them to be open after hours? Specifically, all users (except admins) should not be able to access web sites A,B,C during business hours.

I know the original admin has already done this because you can't access youtube, some facebook, and cnet (very odd, but anyway).  When you try to hit youtube, you get a page page saying something like 'sorry, come back later'.  I've spent the past 6 hours reading through blogs, forums, anything and trying to figure out where to add additional sites or network ids to the list (e.g. I saw this nifty list http://imageshack.us/f/193/cidr.png) but I can't seem to find it.  The current task pertains to facebook. Some people are accessing with https:// when I've been told only http:// are currently blocked.  I've read through several different posts and replys (including the ones on blocking facebook) but I fear I need a lot more hand holding than that.  This seemed like a pretty safe topic name to ask the slower paced question.

I know I have pfsense. I don't think we have SQUID (which I've read about). I can find out other information if you need to know, but I don't know what other info you need to help answer the question.

I should also note that my replies may be at odd hours/ delayed since I'm in GMT+2.  Thanks in advance for your patience.

marcelloc

Check on pfSense menu if you have proxy server and proxy filter. These are squid and squid guard.

lilinneno

I went to System > Package Manager.  I found that we have:

Light Squid, Squid, Squid Guard, Free Radius, Zabbix Agent, NTop, MailReport

Thanks again for your help!

marcelloc

@lilinneno:

I went to System > Package Manager.  I found that we have:

Light Squid, Squid, Squid Guard, Free Radius, Zabbix Agent, NTop, MailReport

squid and squidguard will do it.

services-> proxy server is squid
services -> proxy filter is squidguard.

check what config you have on both.

lilinneno

Huge help just decoding that!  I've gone into the proxy filter and server and can see the settings.

For Proxy Filter, I can see the logic that was created and I have Target categories of BlockedAlways and BlockedBusiness.  When I go into BlockedBusiness, I see a list of Domains which has a lot of addresses (including facebook.com). URLs and Expressions are blank.  I tried adding to URLs https://www.facebook.com and http://facebook.com except it won't allow me to. I did add 'facebook' into the Expressions field.  Was that correct?

For Proxy Server, every box in Access Control is blank.  Should I add facebook to the blacklist? Or will this remove it from use at all hours?

How can I validate that Facebook will not be able to be accessed by anyone except admins?

marcelloc

@lilinneno:

How can I validate that Facebook will not be able to be accessed by anyone except admins?

If you have transparent proxy enabled on squid config, you will need to block port 443 on lan firewall rules.

Then, create an alias on firewall-> aliases with https sites you allow traffic to.
apply a rule before you rule that blocks 443 traffic, allowing 443 traffic to hosts inclued on your alias.

An easier way will be with transparent ssl filtering feature on squid3 package.

lilinneno

Transparent proxy is enabled in squid.  So here is what I have started to do and I've attached pictures so that you can track with me.

1. Create new Firewall Aliases to permit certain HTTPS sites to pass through
1a. Shows how I created the alias. I couldn't figure out how to use IP addresses so I selected URL Table. Is that right?  It seems there could be a lot of https sites and am wondering if there is a more efficient way.
2. Didn't apply changes as I'm not sure if this is the right approach
3. Create Firewall Rule to permit the "AllowedHTTPS" aliases to pass.
3a,b: Show the options that are available… I imagine I'm supposed to somehow tie this rule to the Aliases that I created.  How do I do that/ what am I supposed to put in here?
4. Shows that the icon that generally should allow me to move rules is greyed out and won't let me move the new Rule to be above the "Anti-Lockout Rule". Is there a different way to prioritize/ deprioritize rules?
5. Didn't apply changes as I'm not sure if this is the right approach/ especially as I can't put the new "AllowedHTTPS" rule to go above "Anti-lockout"
6. It occurs to me that nearly 100% of the users access internet through Wifi.  Will updating the LAN rules ultimately apply to the WAN too?


lilinneno

… the other attachment


marcelloc

First change. You need host alias, url table are used only to download a list of hosts/ips from an external server.

lilinneno

I can't figure out what a host alias is. I tried to do some digging online to figure out what they are/ how to find them out, but have had no success :(

I must be so frustrating for you. Thanks so much for your patience!

marcelloc

while creating/editing a firewall alias, you can choose it's type.

change you alias type from url_table to hosts.

You need to put complete hostnames on it, for example www.facebook.com.

lilinneno

Got it! Fairly certain I got that (see attached).

Now I need to go back to the Firewall rules section to create the rule that allows the HTTPS alias that I just created and prioritize that over port 443. And then I block 443.

But what are the terms that I have to put into the Firewall rule?


marcelloc

allow rule

• proto tcp

• source any_or_lan_subnet

• port any

• destination https_alias_you_created

• port 443

deny rule

• proto tcp

• source any_or_lan_subnet

• port any

• destination any

• port 443