Monitor what is leaving my WAN interface

johnpoz

if you want to monitor websites clients visit you would use a proxy. Pfsense can log connections, but its only going to give you an IP address of source and destination..

security_paranoid

Pfsense can log connections, but its only going to give you an IP address of source and destination

Thanks for your reply . Form where in the web interface can I view this info ?

NogBadTheBad

@security_paranoid:

Pfsense can log connections, but its only going to give you an IP address of source and destination

Thanks for your reply . Form where in the web interface can I view this info ?

As John mentioned you'll only see IP addresses.

Create an outbound firewall rule allowing port 80 & 443 outbound, set it to log and place it right at the top of the rule list.

They appear here :-

Status -> System Logs -> Firewall

security_paranoid

As John mentioned you'll only see IP addresses.

Create an outbound firewall rule allowing port 80 & 443 outbound, set it to log and place it right at the top of the rule list.

They appear here :-

Status -> System Logs -> Firewall

Please be patient. How do I create an outbound rule ? Never done that before.

NogBadTheBad

Firewal -> Rules -> LAN

Add

Create two rules, one using port 80 as a destination, one using port 443 and tick Log packets that are handled by this rule.

Drag the two rules to the top and hit save.

Untitled.png_thumb
![Untitled 2.png](/public/imported_attachments/1/Untitled 2.png)
![Untitled 2.png_thumb](/public/imported_attachments/1/Untitled 2.png_thumb)

security_paranoid

No matter how much I try cant move the 2 rules above the anti lockout rule.
Please see attachment.

![lan rules.png](/public/imported_attachments/1/lan rules.png)
![lan rules.png_thumb](/public/imported_attachments/1/lan rules.png_thumb)

NogBadTheBad

don't worry about the top rule as it's only http to the firewall that interface.

http and https will match your new rules rather than your pfblocker rules you might want to move them a bit lower.

security_paranoid

@NogBadTheBad:

don't worry about the top rule as it's only http to the firewall that interface.

Also I can use Google's imap which is on port 993. Shouldnt that be blocked now ? I mean only 80 and 443 are allowed.

NogBadTheBad

the rules just allow and log you've not blocked anything.

they read from the top down.

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

security_paranoid

@NogBadTheBad:

the rules just allow and log you've not blocked anything.

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

Got it. Thanks a lot.

johnpoz

Nevermind you did put the rule on the lan side..

Unless your using something like QUIC or SPDY your never going to see UDP on 80/443 for websites.

kapara

if you want great granular view pftop or pflowd. You can find many free netflow collectors. This captures everything. I suggest at least trying it and you will understand.