Help in Blocking Websites
-
Check on pfSense menu if you have proxy server and proxy filter. These are squid and squid guard.
-
I went to System > Package Manager. I found that we have:
Light Squid, Squid, Squid Guard, Free Radius, Zabbix Agent, NTop, MailReport
Thanks again for your help!
-
I went to System > Package Manager. I found that we have:
Light Squid, Squid, Squid Guard, Free Radius, Zabbix Agent, NTop, MailReport
squid and squidguard will do it.
services-> proxy server is squid
services -> proxy filter is squidguard.check what config you have on both.
-
Huge help just decoding that! I've gone into the proxy filter and server and can see the settings.
For Proxy Filter, I can see the logic that was created and I have Target categories of BlockedAlways and BlockedBusiness. When I go into BlockedBusiness, I see a list of Domains which has a lot of addresses (including facebook.com). URLs and Expressions are blank. I tried adding to URLs https://www.facebook.com and http://facebook.com except it won't allow me to. I did add 'facebook' into the Expressions field. Was that correct?
For Proxy Server, every box in Access Control is blank. Should I add facebook to the blacklist? Or will this remove it from use at all hours?
How can I validate that Facebook will not be able to be accessed by anyone except admins?
-
How can I validate that Facebook will not be able to be accessed by anyone except admins?
If you have transparent proxy enabled on squid config, you will need to block port 443 on lan firewall rules.
Then, create an alias on firewall-> aliases with https sites you allow traffic to.
apply a rule before you rule that blocks 443 traffic, allowing 443 traffic to hosts inclued on your alias.An easier way will be with transparent ssl filtering feature on squid3 package.
-
Transparent proxy is enabled in squid. So here is what I have started to do and I've attached pictures so that you can track with me.
1. Create new Firewall Aliases to permit certain HTTPS sites to pass through
1a. Shows how I created the alias. I couldn't figure out how to use IP addresses so I selected URL Table. Is that right? It seems there could be a lot of https sites and am wondering if there is a more efficient way.
2. Didn't apply changes as I'm not sure if this is the right approach
3. Create Firewall Rule to permit the "AllowedHTTPS" aliases to pass.
3a,b: Show the options that are available… I imagine I'm supposed to somehow tie this rule to the Aliases that I created. How do I do that/ what am I supposed to put in here?
4. Shows that the icon that generally should allow me to move rules is greyed out and won't let me move the new Rule to be above the "Anti-Lockout Rule". Is there a different way to prioritize/ deprioritize rules?
5. Didn't apply changes as I'm not sure if this is the right approach/ especially as I can't put the new "AllowedHTTPS" rule to go above "Anti-lockout"
6. It occurs to me that nearly 100% of the users access internet through Wifi. Will updating the LAN rules ultimately apply to the WAN too?
 -
… the other attachment
 -
First change. You need host alias, url table are used only to download a list of hosts/ips from an external server.
-
I can't figure out what a host alias is. I tried to do some digging online to figure out what they are/ how to find them out, but have had no success :(
I must be so frustrating for you. Thanks so much for your patience!
-
while creating/editing a firewall alias, you can choose it's type.
change you alias type from url_table to hosts.
You need to put complete hostnames on it, for example www.facebook.com.
-
Got it! Fairly certain I got that (see attached).
Now I need to go back to the Firewall rules section to create the rule that allows the HTTPS alias that I just created and prioritize that over port 443. And then I block 443.
But what are the terms that I have to put into the Firewall rule?
 -
allow rule
-
proto tcp
-
source any_or_lan_subnet
-
port any
-
destination https_alias_you_created
-
port 443
deny rule
-
proto tcp
-
source any_or_lan_subnet
-
port any
-
destination any
-
port 443
-
