Guide to filtering web content (http and https) with pfsense 2.3

asterix

Can't get HTTPS scanning to work. See https sites passing through squid but clamd won't scan the files. Works fine on HTTP and it catches the virus files. Using proxy setting in browser since wpad isn't giving the results I am expecting.

aGeekhere

no, not working. As soon as I enable the firewall rule there is no access to the internet. With the firewall rule disabled I have access but the eicar test files do not get blocked like they did when in transparent mode indicating the proxy is not being used.

Is that the port 80 and 443 block rule? If so than that is correct, now set your device to auto configure proxy. In windows go to global internet settings and there is an option for that, and for each program you have set its proxy settings. For programs with no proxy settings create a pass rule.

Can't get HTTPS scanning to work. See https sites passing through squid but clamd won't scan the files. Works fine on HTTP and it catches the virus files. Using proxy setting in browser since wpad isn't giving the results I am expecting.

Hi, first try above post, second I have not tried clamd scanning because I have found it to have issues, best to ask this question in the proxy forum.

Using proxy setting in browser since wpad isn't giving the results I am expecting

You have to tell your browser to use system settings and in global internet settings set proxy to auto configure.

AR15USR

@Asterix:

Can't get HTTPS scanning to work. See https sites passing through squid but clamd won't scan the files. Works fine on HTTP and it catches the virus files. Using proxy setting in browser since wpad isn't giving the results I am expecting.

Same issue here now.

I enabled the 80-443 block rule, unchecked the 'Transparent" option in Squid and I can only get access if I manually enter the wpad.dat location into my local computer(s) settings. Auto discovery does not work. I'm on all Apple computers/devices here btw. Same issue with ClamAV, it scans http but not https as poster above.

asterix

Auto config works for me. What I meant in the original post was that the WPAD direction info I was writing was not proper hence was using straight proxy settings for the time being. Will be experimenting with the WPAD file at a later time.

I seriously doubt HTTPS scanning (not filtering) with clamd is working. I have followed the configuration directions to the T and yet the only thing which does not work is https clamd scans for viruses. I believe its a Squid issue.

aGeekhere

Post a link to the https fake virus test file that you are testing and I will see if it works for me.

AR15USR

http://www.eicar.org/85-0-Download.html

There is one group for http, and one group for https.

asterix

There are 4 https links

https://secure.eicar.org/eicar.com
https://secure.eicar.org/eicar.com.txt
https://secure.eicar.org/eicar_com.zip
https://secure.eicar.org/eicarcom2.zip

asterix

Would you know how to get the below google safesearch info in pfSense BIND DNS?

server: include: /var/unbound/forecegoogle.conf

aGeekhere

Ok done some research squidclamav only supports http not https because it is encrypted.

would you know how to get the below google safesearch info in pfSense BIND DNS?

Not sure you will need to ask that in the proxy forum.

AR15USR

@aGeekHere:

Ok done some research squidclamav only supports http not https because it is encrypted.

I just did a test. Squidclamav will scan https traffic when using Squids MITM option..

asterix

@AR15USR:

@aGeekHere:

Ok done some research squidclamav only supports http not https because it is encrypted.

I just did a test. Squidclamav will scan https traffic when using Squids MITM option..

And that would need certificates have to be installed on the clients..

AR15USR

@Asterix:

@AR15USR:

@aGeekHere:

Ok done some research squidclamav only supports http not https because it is encrypted.

I just did a test. Squidclamav will scan https traffic when using Squids MITM option..

And that would need certificates have to be installed on the clients..

Correct.

aGeekhere

To help stop virus or spywhere we can enable squidguard block list blk_BL_spyware,

johnpoz

What is the point of all the safesearch nonsense and redirecting users to only use your dns..  You do understand when a proxy is being used, the proxy does the query not the client..

phunni

While setting up wpad we'r supposed ot enter the following into /usr/local/www/wpad.da:

function FindProxyForURL(url, host)
{
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

return "PROXY 192.168.1.1:3128";
}

I've actually changed my pfsense server ip to 192.168.0.1 - do I need to edit both ip addresses listed above?

AR15USR

@johnpoz:

What is the point of all the safesearch nonsense and redirecting users to only use your dns..  You do understand when a proxy is being used, the proxy does the query not the client..

I think the point of the safe search is to stop, say your young kids, from Googling porn images. I'm not sure about the dns redirecting.

aGeekhere

@AR15USR:

@johnpoz:

What is the point of all the safesearch nonsense and redirecting users to only use your dns..  You do understand when a proxy is being used, the proxy does the query not the client..

I think the point of the safe search is to stop, say your young kids, from Googling porn images. I'm not sure about the dns redirecting.

1. What is the point of forcing search engines from using safe search?
Answer: To aid in the filtering of adult content, this is most importantly for google images as squidguard does not block them, if you do not want to filter web content then this guide is not designed for you.

2. What is the point of redirecting users to use THEIR pfsense router as the DNS server.
Answer: There are many advantages not all relating to web filtering however tries and stops the user from bypassing the dns redirect rule.

@phunni:

While setting up wpad we'r supposed ot enter the following into /usr/local/www/wpad.da:

function FindProxyForURL(url, host)
{
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

return "PROXY 192.168.1.1:3128";
}

I've actually changed my pfsense server ip to 192.168.0.1 - do I need to edit both ip addresses listed above?

Yes, set it to 192.168.0.0

AR15USR

I'm constantly getting these entries in the Squid Real Time log:

01.07.2016 06:06:34	192.168.1.5	TCP_DENIED/403	127.0.0.1:59488	-	-
01.07.2016 06:06:34	192.168.1.5	TCP_DENIED/403	127.0.0.1:55735	-	-
01.07.2016 06:06:34	192.168.1.5	TCP_DENIED/403	127.0.0.1:49806	-	-
01.07.2016 06:06:34	192.168.1.5	TCP_DENIED/403	127.0.0.1:46365	-	-
01.07.2016 06:06:34	192.168.1.5	TCP_DENIED/403	127.0.0.1:38156	-	-
01.07.2016 06:06:34	192.168.1.5	TCP_DENIED/403	127.0.0.1:25012	-	-
01.07.2016 06:06:34	192.168.1.5	TCP_DENIED/403	127.0.0.1:24866	-	-
01.07.2016 06:06:33	192.168.1.5	TCP_DENIED/403	127.0.0.1:14826	-	-
01.07.2016 06:06:33	192.168.1.5	TCP_DENIED/403	127.0.0.1:10196	-	-
01.07.2016 06:06:33	192.168.1.5	TCP_DENIED/403	127.0.0.1:6263	-	-

192.168.1.5 is my local machine. Is this normal?

Update: Resolved this in another thread..

phunni

To stop users from bypassing your proxy setup a new firewall lan rule and block port 80 and 443

Just to clarify - this is to prevent users from bypassing the proxy altogether, rather than just  bypassing the autoproxy/wpad stuff?

phunni

The Squid Guard settings aren't working for me.  I download the blacklist and then go to Common ACL (I've already completed the target categories step on a previous run through), but the "Target Rules" only contains "^whitelist all" and there are only [whitelist] and Default access [all] options there.

On another point, I don't want to have to set up auto proxy for every device connecting to my network - would it work if I use transparent proxy and then explicitly set the https_proxy on the couple of machines I really need locked down?