A Defininitive Web Filtering Solution - $400
-
Sorry for the delay.
Try this https://forum.pfsense.org/index.php?topic=112335.0
This guide references partial solutions using the DNS resolver, and then using both transparent and explicit proxies to handle the filtering. While it could work, it's a multi-package solution (Unbound + Squid + SquidGuard) and isn't simple by any means.
I'm gonna increase my initial contribution to the bounty.
Also @Chismallia
…and also it would be great if one day captive portal usernames not ip address can be shown in web usage reports example user 1 whent to http://xxxx as right now this only can be done using windows AD with squid
Thanks for the reply, we need as many people as possible in here! Also, with regards to your desired feature: it may not be an official release but I'm working on something along those lines right now so keep your eyes peeled haha
-
Nice be sure to keep us updated :)
-
Relevant Update
Through looking at that old thread I posted about NXfilter, and then talking to some developers, we've gotten two possible solutions. One, exactly what we were talking about. The second….not so much.
The good news
After digging around, it became clear that NXFilter was going to be the clear winner for getting this to work. There's some different installation guides lying around in both english and portuguese. With a working FreeBSD version, I was able to get the software running on our 2.3 test unit. I had to install java manually, among other steps, but it's running without a hitch. Using the NXfilter system, we can:
-
Use Shallalist (or two paid list services) to categorize websites
-
Define filtering rules based on time of day
-
Filter different subnets while having only one WAN address
-
User-Defined Rules: Either actively or passively define user based rules with two different policies (think on/off hours or high/low security hours)
-
Add websites to the blacklist or whitelist them as needed
-
Use the full logging feature of NXfilter to see multiple logs and generate reports based on those logs
-
and probably more? hahahaha
So, this is huge news. I expected there to be some compatibility issues or larger errors when running it on the pfSense unit. However, this is a completely working product. Also, there might be a possibility to pair this with the transparent HTTP content filtering available with Squid+SquidGuard; doubling down by giving you the depth of security with HTTP content filtering in addition to dns filtering for both http and https.
If there's enough of a desire, I could possibly write up some documentation on how to get this working. But, it would be even better if pfSense developers thought about integrating this free, open-source system as a package. This would make pfSense better than Untangle, ipcop, or any free(mium) UTM solution available.
ps. for those asking about the second mentioned method, I thought there might still be some possible solution with squidguard (content filtering thru a transparent proxy). The only means by which you could enable https filtering WITHOUT configuration was an exploit of HSTS by setting up two captive portals: one with a signed certificate and the other with the pfSense CA and cert. Basically, it would install the CA as a trusted CA and avoid the user manually installing it. While it works, it falls too close into an ethical grey area and it would only take one update of the HSTS system and security protocols to render it useless again. If you want simple content filtering, go DNS.
-
-
Hi great it would be great if Pfsense team integrate this some how. So to understand this for nxfilter you have to add your own black list like in squid guard? oh and if you have a guide please share I am interested to try this out thanks for sharing regards
-
+1 for interest in a pfSense package..
-
I wouldn't call pre-installed subordinate wildcard certs a "gray area", that is definitely a black hat type thing to do and don't try to tell yourself that it is OK because you work for a fortune 500 company or something like that.
If they are using company equipment then you can simply install a certificate or have a client side based monitor solution which is entirely legal and ethical otherwise I see no real need for this besides spying on your users.
DNS/IP based filtering is more than good enough for any public AP legitimate use case; by doing this you are selling/using illegal private use surveillance equipment which violates the wiretap act and the stored communications act - you can be prosecuted and sued - it doesn't matter if you had your users agree to a massive click-through EULA that they didn't read any decent lawyer will tell you those are unenforceable.
-
what?? illegal ? once people agree to use my network and In the agreement i write that the network is monitored I have the right to know whats going on if they do not like it they do not accept and leave, if they accept they accepted that I have the right to monitor them, example in win 10 you cant do anything that MS is spying on you, why? cos you agreed. So utm that can monitor should be shutdown by law right? then why are they still around and improving everyday?
-
Dont forget its completly legit for private/home use as well..
-
Sure it is I have a untangle utm at home monitoring my guests , they accept they will be monitored they dont like it? they do not use my network, simple as that, I have all the right to know whats going on in my network, If they do something bad on my network I have the right to know who
-
I wouldn't call pre-installed subordinate wildcard certs a "gray area", that is definitely a black hat type thing to do and don't try to tell yourself that it is OK because you work for a fortune 500 company or something like that.
If they are using company equipment then you can simply install a certificate or have a client side based monitor solution which is entirely legal and ethical otherwise I see no real need for this besides spying on your users.
DNS/IP based filtering is more than good enough for any public AP legitimate use case; by doing this you are selling/using illegal private use surveillance equipment which violates the wiretap act and the stored communications act - you can be prosecuted and sued - it doesn't matter if you had your users agree to a massive click-through EULA that they didn't read any decent lawyer will tell you those are unenforceable.
Look at Trustwave. They happened to see a bit more flak but there wasn't any huge ramifications or press. Regardless, how you monitor your network in a private/enterprise environment is your own prerogative. This is why, at the end of the day, private is private.
BUT
This isn't a thread to discuss ethics, it's to show support for a pfSense bounty to get a better filtering solution.
-
…to show support for a pfSense bounty to get a better filtering solution.
I'm in for $50 if this results in a complete and workable solution that satisfies my needs..
-
This isn't about ethics, this is about not going to jail or being sued.
what?? illegal ? once people agree to use my network and In the agreement i write that the network is monitored I have the right to know whats going on if they do not like it they do not accept and leave, if they accept they accepted that I have the right to monitor them, example in win 10 you cant do anything that MS is spying on you, why? cos you agreed. So utm that can monitor should be shutdown by law right? then why are they still around and improving everyday?
Monitoring a public AP type network you own is entirely legal and ethical this isn't what I am referencing, I am simply letting everyone know that breaking someone elses crypto is illegal.
The way you see things isn't how contract law works in any sane country, if you want to do this you should be talking to a decent lawyer.
-
This is not a thread to break someones crypto, this is support for pfsense to have a good web filtering capability and have guest captive portal reports instead of by ip we can view the reports by username the guest has. So if you do not have anything useful to say please go play Judge Judy some place else
-
+1 for a defininitive web filtering solution
+1 for NXfilter -
+1 for NXfilter
-teddy