Parental controls
-
I have installed pfsense with squid and squidguard to gain some level of parental controls on my home network.
I thought I was setting it up cleverly by:
- not using transparent proxy so I can have username logins
- using firewall rules to block HTTP and HTTPS so users can not bypass the proxy
- setting up user authentication in squid
- having a common acl in squidguard that is not restricted
- using a group acl to heavily restrict my son's username
- setting up a wpad.dat file for auto discovery of the proxy information
Once the internet connections or browsers on the network are setup for auto discovery of the proxy, this works well.
First problem: Android devices can be setup to use a proxy for the browser, but this setting has little to no effect on apps. Solution: Setup fixed IP leases for the android devices and configure firewall rules so they can bypass the proxy. Not great, opens up the option for another device to hijack that IP and gain unrestricted access, but oh well, better than nothing.
Second problem: I go to play some music on my squeezebox. I cannot access the squeeze server running on my computer, the squeezebox and squeeze server can not access logitech's squeeze network, I can't find any proxy settings, it just ain't gonna work. Solution: Setup fixed IP leases for my computer and squeezebox, firewall rules, bypass the proxy… You see the pattern.
We have apple iPods and iPads and a TIVO. I'm thinking I will discover issues with them also. As soon as my wife said she thought we needed some parental controls I knew I was in trouble, because of all of these devices that access the internet.
It seems like I am fighting the proxy doing it this way. Any opinions? What do other folks do?
-
Hi,
you are looking on the proxy only from one side. You let the proxy bypass SOURCE IP addresses. So someone can hijack this one and bypass the proxy.
Why don't you use the destination IP addresses for the squeezbox server and the server the adroid apps are connecting to ? So you bypass DESTINATION IP addresses and so noone can hijack the SOURCE IPs.
For the destination IPs just create an Alias and put there als destination IPs which are not working with a proxy.
In my company we are using "MindjetMind Manager" and this product can not be activated while using a proxy.
-
Thanks for taking the time to reply Nachfalke,
You are right. I was thinking about it from only one side. I assume you mean to discover the destination IP by examining the proxy logs to see what was denied. But how do sites like squeeze network, napster and pandora work (the apps that failed on my phone)? Do the apps always hit the same IP, or is there a bank of IPs that get assigned based on demand? I can see a frustrating period until all of the site's servers have been discovered. Or is there some tricky way to query DNS in some manner to get all IPs associated with *.napster.com?
-
Hi,
I am not sure, if the apps are always hitting the same IP or if they do a failover if one IP isn't available. But perhaps there is only the problem with one authentication server which is used for the first start of the app and after this the app is able to work with a proxy.
For example microsoft.com is using many subnets of IPs so I could allow the hole subnet.
To find out the IPs I checked the firewall after the apps tried to connect to the internet and then I tried to find out who is the owner of this IP/domain and which subnet belongs to this domain.
Not sure if there is an other way to find out all IPs.
Perhaps you can write a script which is doing a dns lookup for a domain some hours and which copies all the IPs to an excel sheet. Then you can delete all double entries and use the rest for the Alias/pfsense.If someone has got a better idea it would be great to hear it!