Proxy: content filtering, IP/DNS filtering, TLS 1.3

trilobite

I started off with a journey to allow content filtering to prevent the kids going on porn sites but soon discovered that its tricky business. Running pfSense 2.4.5 on small SoC machine with 4GB RAM. I have ubound resolver activated with all DNS traffic routed to the resolver so that it also goes through the VPN and doesn't leak my IP.

I initially looked at Squid+Squiguard but soon found out that getting it to egress properly on m VPN outbound connecting was turning into a nightmare and I eventually gave up. I also discovered tonight that Squid doesn't support TLS1.3 while most modern browsers do. I've read that many have similar problems with getting Squid to egress correctly on the VPN (those at least that are trying to route their traffic from their home network over a VPN provider). I'm not after the caching functionality so wasn't being attracted to Squid for this purpose.

My second option was to install pfBlockerNG. I activated both IP and DNS filtering with TLD activated too so I can, for example, blacklist xxx domains. It turns out that when you type "porn" or "warez" on my network, you are still exposed to lots of content that is not being blocked. I know that filtering porn these days is a nightmare. But surely there must be a somewhat effective way of filtering this content on a pfSense machine (i.e. I'm not interested in having two machines, one for the proxy and one for the firewall as I've read that this is how many get over the egress issues I mentioned above).

Has anyone managed to successfully filter content to an acceptable level and route traffic through a VPN provider in such a way that IPs are not leaked?

I've read that people use OpenDNS and get their resolver to querry OpenDNS but I guess this opens questions around privacy and the fact that you let other decide what can and cannot be accessed.

I look forward to an interesting discussion on content filtering with pfSense. I know there is a lot in the Netgate forums but I find much is quite outdated.

Gertjan

@trilobite said in Proxy: content filtering, IP/DNS filtering, TLS 1.3:

I know there is a lot in the Netgate forums but I find much is quite outdated.

Because, as you already discovered : the MITM concepts is entering it's final, ending phase. It's getting really hard.
It's not only you who tries to enforce privacy. The entire browser - network - server setup goes that way. It's actually you who wants this happening. For all of us. And good rules do not permit exceptions ;)

Also : OpenDNS might have some good (never perfect) results as you off-load the tedious and ongoing filtering work to others. And yeah, they will say 'no' if your DNS filtered network was asking for 'p0rn.xxx' domain name. And now they know. Up to you to trust them.
If you do not want others to see what you do, then it will be you and your network, which means you'll have to invest in hardware - like a dedicated proxy machine for best results - and lots of your time, which will be an on going battle, as the net and it's tricks and rules change all the time.
It might be easier to take control the device your kids are using.

PS : Actually happy that mine are over 25.