Egress Filtering: Redirecting to Censornet on the same subnet not working



  • Hi

    I though I had this figured out yesterday but I was wrong I followed a tut from Havok regarding egress filtering and forcing users to use a specific IP for Internet access (8080,80,443) this works for my pfsense boxes behind my main gateway (pfsense) that are on diffrent subnets but not on the actual main pf sense box which is on the same subnet as my Censornet.

    I have 4 pfsense boxes in our setup and am wondering how to deploy in such a way that I can force all my users to use my Censornet proxy for URL filtering etc.
    I have 4 diffrent subnets but have no problem seeing my proxy and enforicng it via GPO DNS and DHCP the only problem now is that users who use Chrome and Firefox can bypass my settings. Thus a solution involving egress is urgently needed.

    If anyway one can suggest the right route please respond. If more information is required to help solve this problem please just ask.



  • You're saying that on the main pfSense box you've blocked outbound access to ports 80, 8080 and 443 from all IP addresses other than the Censornet box and that isn't working? Can you post screenshots of your firewall and NAT rules for that interface please.



  • Before I do the Screenshots, I have only seup LAN rules and no NAT rules as I am only monitoring LAN to WAN is this wrong then?
    I followed the http://forum.pfsense.org/index.php/topic,31831.0.html as refrence.
    I have no NAT rules setup for access to 8080,80 or 443








  • You've cut out all the context - please provide a simple network diagram showing how everything is connected and tell us which interfaces those rules apply to.

    (What you've done is like telling a mechanic that your car is making a grinding noise, but not telling them where it's coming from)



  • Herewith the diagram.
    Please let me know if you require any additional information.

    The Rules apply to the LAN interfaces I have only worked with the interfaces as per your advice in the previous post all id other than that was creating the aliases.
    I had to change back to allow all on LAN for now but would still want to use egress filtering by default.




  • Is you pass rule above your block rule? If so the block rule will never apply. Why not make the pass rule specific to the CensorNet host?

    Note that if all you're doing is blocking those few ports it's trivial to bypass. It would be much better to block all outbound ports by default and only allow those you require - ideally not allowing any desktop to go directly out to the Internet.



  • Hi,

    I am not sure but perhaps this could be a solution for you:

    http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid



  • @Cry:

    Is you pass rule above your block rule? If so the block rule will never apply. Why not make the pass rule specific to the CensorNet host?

    Note that if all you're doing is blocking those few ports it's trivial to bypass. It would be much better to block all outbound ports by default and only allow those you require - ideally not allowing any desktop to go directly out to the Internet.

    That is what I am working towards to block all ports and only allow that what we use on site.
    I have most of the application ports and thus more but as internet is a big part of the solution getting it to function correctly without being able to bypass the URL filtering system is priority.

    If I delete the allow all rule does that block all outbound from LAN by default?
    Or should I create a default block all rule, and add my allow rules beneath the block rule from LAN?

    Thanks so much for the advice sorry if I did not give all the info you requested the first time.



  • I'd suggest you make your allow rules specific - only allow the traffic from the host or hosts you want to allow traffic from. Then if there is no allow rule listed the default deny rule will apply.



  • @Cry:

    I'd suggest you make your allow rules specific - only allow the traffic from the host or hosts you want to allow traffic from. Then if there is no allow rule listed the default deny rule will apply.

    I just want to be sure I get this right..

    Source: LAN net
    Port: *
    Block

    Destination: 192.168.1.2
    Port: 80,443,8080
    Pass

    And whatever other rules I have underneath to pass, or is it not necessary to created a block rule at all?

    Should my rule for the Censornet not state: if not Censornet block or will it work if those ports to destination 192.168.1.2 are the only internet ports

    I created the rules as above and tested them now, but it seems not to work when I employ it this way are my source and destination rules correct?

    I have for the iterim just checked the Firewall log file:

    block Feb 23 23:19:24 LAN 192.168.1.4:60977 192.168.1.1:80 TCP:S

    I am testing from 192.168.1.4 my pfsense main box is 192.168.1.1  am I still creating the rules wrong then I take it.
    Is it possible for you to give me an example of how the rules should look please?

    Ok got it working:

    Delete default Allow All Rule on LAN
    Create Allow Rule Source Censornet Source Port any Destination any Destination Port 80,443,8080

    Working! Please let me know if this is incorrect.


Log in to reply