content filter

reynold

Hi, could you suggest me how i can realize content filtering on pfsense?
I'm looking for open source free sw.
I had a look at kutter but it's not freeware.
Should I use squid for content filter?
And snort for app patrol?
I'm a little confused

thank

Gertjan

@reynold said in content filter:

I'm a little confused

Don't be.
You need to know what pfSense - the firewall / router - sees.
It shuffles around 'packets', some 1500 bytes size enteties;
The format is very well documented : the internet was actually invented to talk about : the Internet. It's a 50 years old technology, so easy to understand.

While documenting, you will find the easy solution right away :
Abandon every usage of TLS (SSL), so no more port 443 = https, - use port 80 = http.
Same thing for your mails,: no more port 443, 993, etc, use ports 587 and 110 and 143.
This might seem easy, but some services are not available any more without TLS ('SSL').
This means also that you can't use any banking services any more. Actually, many services on line are not available any more.

So, ok, keep decide to https (TS) traffic ..... and know you have to know what TLS really is.
Because, if you want 'pfSense' to see the 'content' of the packets, you have to decrypt them. You have to do what's called MITM = Man In The Middle.
This means : your browser thinks it's connected to your bank, but is actually connected to your pfSense, as pfSense is doing 'proxy'.
pfSense scans your packets, and makes the request on your behalf to the bank. Decrypts it, scans it, encrypts it again, and send traffic to you (your browser).

In theory, it can be done.
I tend to say : you need to know how things (TLS, certificates, encryption, browser, web servers, etc) work before even try to do something what enables you to see the actual data flow.
It was rocket science before, when the traffic was all 'clear', now you need to join Havard for at least a year or so, just to understand what needs to be done.

reynold

@gertjan
ok, I understand your point of view, maybe I need DPI SSL service to inspect packets (https feature).
But i'm looking for something simpler.
I want to block ponography, drugs, sex and similar.
How can i do that?
Squid can help me?

After that i would like to block application, so i was thinking using snort.

Gertjan

@reynold said in content filter:

But i'm looking for something simpler.

Go for pfBLockerNG 3.1.0.

@reynold said in content filter:

using snort.

Would have to use TLS decoding, which brings back at "what in the TLS stream".
That is, only IP source and destination, and source and destination ports are otherwise known to indicate what packets might contain (and some packet header flags).