Web filtering (allow only few websites to a group)

V4705 · Apr 25, 2012, 7:57 PM

Hi,
We need to block all the websites (except for only few) to one division in this office (few people with static ip).

What's my options with pfSense?

Many thanks!

dreamslacker · Apr 27, 2012, 12:22 PM

Squid with Squidguard is probably your best bet. Alternatively, where the running of Squid has undesired effects, you can use URL aliases and firewall rules to block all port 80/ 443 traffic sourced from the group and bound for the URL alias.

jimp · May 1, 2012, 5:02 PM

That's not how URL aliases work.

Squid+SquidGuard (And maybe Dansguardian?) are the only ways to block/allow sites selectively. It can't be done with firewalls in any meaningful way.

stephenw10 · May 1, 2012, 5:34 PM

If you only want to allow access to, say, the companies web servers then you probably know what IPs they are on and can allow access only to those.
Depends what you mean by 'only a few'.

Steve

dreamslacker · May 2, 2012, 5:48 AM

@jimp:

That's not how URL aliases work.

I was under the impression that URL aliases are used to periodically resolve the IP addresses for firewall rules. If that is not the case, could you enlighten me on the purpose of the URL aliases?

Thank you.

V4705 · May 9, 2012, 4:12 PM

@jimp:

That's not how URL aliases work.

Squid+SquidGuard (And maybe Dansguardian?) are the only ways to block/allow sites selectively. It can't be done with firewalls in any meaningful way.

Thanks for the answer,
I tried to setup squid and squidguard but for some reason when I set the proxy configuration in my computer, I can't access any website (don't know if the proxy blocked that or it doesnt even communicate with the proxy…).

What I did until now:
installed squid and squidguard addons
set on squid ("proxy server"):
interface: lan
[v] allow users on interface
log dir: /pfsenselogs/proxy (dunno, just wrote some path…).
port: 8484 (again, dunno what to choose, just picked one because it didnt offer any default).

set on squidguard ("proxy filter"):
target categories -> "category1" -> domain list with 5-6 domains, separate by space.
common acl -> category1 whitelist, default access deny.
[v] not to allow ip addresses in url
redirect mode: int error page
redirect info: blocked
general ->
[v] enable
apply

Any help\tip\suggestion to start working with it, will be HIGHLY appreciated.

Thanks.

dhatz · May 9, 2012, 6:24 PM

@V4705:

We need to block all the websites (except for only few) to one division in this office (few people with static ip).
What's my options with pfSense?

It depends on which "few websites" you want to allow.

Most webpages load objects from many different domains, sometimes CDNs, in which case white-listing specific domains can be problematic.

V4705 · May 18, 2012, 6:22 AM

Our own websites and few web-based apps we're paying for (3rd companies).

stephenw10 · May 18, 2012, 12:33 PM

If those web sites are being served from a small number of fixed IPs then simply add those to an alias and use that in a firewall rule.

Steve

V4705 · May 18, 2012, 2:19 PM

Thanks for the quick reply,
I tried that, unfortunately its not working for those websites.
Any tips\guides on how to use Squid\SquidGuard on pfSense?

Thanks!