Locally Blocking HTTPS Sites
-
I am installing a PFSense box into my local network (home) so I can among other things enforce restrictions on web sites and other activity since my kids can not abide by the honor code.
For the purposes of this post I am looking for guidance on how to make sure certain web sites, ports and protocols are inaccessible to my kids through their devices. My original thought on how to accomplish this would be through blocking sites by web address using a locally hosted DNS server since https addresses are encrypted before being sent along the wire and are only visible within the DNS so that the url can be resolved to an IP address.
Another thought which is more preferable is to create rules based on MAC id so that only their devices get filtered and leave my devices unaffected.
I am new to PFsense but not to FW rules and DNS function and am looking for the best wat to accomplish this task.
Again to sum up:
-
Using PFsense is it possible to restrict certain devices either by mac id or ip address from accessing certain web sites whose URLs are using the HTTPS protocol?
-
I would also like to restrict certain applications/apps from exiting the network these would be apps like TikTok, YouTube, and any other app that might be the current "in thing" but not necessarily appropriate for young kids.
-
Ideally I would like the flexibility to apply a schedule (days/times) to the rules/actions, if the above is doable can this be done by a schedule or will it remain in effect 24/7 until paused or removed?
Thank you very much in advance for your guidance.
-
-
URL filtering can be done by squid+squidguard, or pfBlocker.
-
By IP address, yes. pfSense doesn't do access control directly via MAC. Set static DHCP reservations for your kids devices and then put the IPs in an alias. Use the alias when making firewall rules.
-
This can be difficult. pfSense doesn't have any native app control and what you can get from addon packages is limited. A lot of apps talk on tcp/443 so you might end up having to log the URLS that the apps connect to and then blacklist them in your URL filter.
-
pfSense supports schedules for firewall rules but the interface is very clunky IMO. Squidguard supports schedules for URL filtering.
-
-
@kom Thank you for the feedback. I can see this isnt going to be straight forward, I was hoping I wasnt going to have to spend most of my free time on this but seems like I might have to. Thanks again.
-
I have the base install up and running and need to monitor traffic to see where I need to start tightening permissions. I have looked but cant find a log/report that lists the sites being accessed by URL (not IP address), cant do much with IP until I know where it is tied to. I thought I saw this available in a tutorial video but not sure if it was part of PFS or SNORT.
Thinking about it would it be easier to use a proxy server or local (lan) DNS server to restrict access by URL?
Appreciate the feedback.
-
@rjp1267 Squid has a realtime monitor. I don't know if pfBlocker has something similar. I have no experience with Snort or Suricata.
-
@rjp1267 said in Locally Blocking HTTPS Sites:
easier to use a proxy server or local (lan) DNS server to restrict access by URL?
Easier solution would prob just block via dns.. pfblocker comes to mind.. Or you could just manually create dns entries that would answer bad for unwanted fqdn. Or you could use something like pihole on your network to block stuff.
This sort of solution is prob easier than a proxy - but a proxy if correctly configured would allow for more granular control where you could allow say www.domain.tld/something but block www.domain.tld/otherthing
But a proxy is more difficult to setup and maintain then simple dns blocking. And with pretty much the whole net being https now - it has become more difficult.
Clients use of doh has made even blocking dns more difficult as well.
-
Appreciate the feedback, I have a couple of questions before diving in. It might come as a shock but I have never used this but am actually excited to give it a whirl, it is also one of the few products that has well designed documentation.
I have my base config backed up as an xml file and am torn between which one to try (Squid, pfBlocker) so Q1, can both coexist or does one have to be disabled? Q2, should I decide to uninstall a package is it a neat and clean process (no residuals, back to preinstall state)? Q3, any advice for a home network setup?
I have found some pretty good videos for pfSense will see if I can find any for these as well.
Thanks for the support.
-
@rjp1267 Both packages can coexist. Uninstall usually cleans up well but I have seen cruft from time to time. Q3 is hard to answer because it's pretty vague. It depends on what gear you have and what you want to achieve.
-
@kom Appreciate the input, my goal is to know where my kids are spending their time and assess if its appropriate. Since its a mixed environment and some devices like school chormebooks I cant control and permissions per device gets messy, time consuming and end goal not achieved it make sense to do it centrally provided I dont introduce unintended consequences for myself and my wife. Eager to give it a shot and put my CCNA hat back on, its been a long while. To answer you question about hardware I am running a PoE managed switch and and old PC with an Intel 2 core 2ghz cpu, 4gb mem and a GB Intel quad port nic, its as barebones as you can get I suspect.
-
@rjp1267 If you want to know here they're going then you don't have much choice other than a proxy. Only squid+squidguard allows you to block URLs as well as get full reports via Lightsquid about which websites they're spending their time on. Your network is pretty basic so there isn't much to say. Learning the quirks of squid will keep you busy for awhile.
-
@kom I just installed pfBlocker-devel and although it was a painless install and seems to work fine out of the box I do not see reports/info I can use to block, I see the firewall logs and can add to "block list" but they have text that says "Hosts blocked from Firewall Log view" and this confuses me, is the IP blocked from being listed in the log or is it blocked at the wan port? Havent found documentation on that yet. Also PFB doesnt by default show the url's associated with the IP's, I can try and use the resolve option but that doesnt always deliver a result, it doesnt seem like it has the option to auto resolve. I may also install Squid along side PFB and see what works best but I realized I only have 2gb of mem on this box and already running at 20% mem usage so will probably bump up to 4gb (max on this MB) and enable more bells and whistles. Waiting for the fun to begin :)
-
@rjp1267 pfBlocker is a DNS blackhole. It's entire purpose is to block unwanted sites via DNS. It does it's job on LAN, not WAN.
Install squid+squidguard+lightsquid. Do NOT use it for caching, just as an URL filter. It won't take up much memory at all that way. Do NOT use transparent proxy. Use explicit mode (not transparent). You will have lots of questions once you get started. Ask them in the Cache/Proxy forum.
-
@kom Your awesome, I appreciate you taking the time to respond and so quickly. Lan not Wan, good to know, need to setup some sort of test to see how/if the rules I setup work, maybe something that affects my kids access, if it works I will know by the screams and panic that will accompany the 404 or other destination unavailable messages. What music it will be. More to come.
