Content filtering on systems without use of squid or dansguardian
I'm a big fan of controlling things like content filtering directly on my own box, but for some people who for whatever reason want to be able to filter content but have small processor and ram so can't afford to run packages:
There is a way to have content filtered by a dns server before it hits your pfsense.
This is the process roughly.
Feel free to clean it up and post a friendlier version if you like.
On this topic, to get further blocking from the router, you can also set up a free dyndns account and then:
Set up a dynamic dns account with them. Load the dynamic dns info for your account into pfsense's dynamic dns service.
After that, on the dyndns website, set up your "defense plan".
in the defense plan check off the blocks for the sorts of things you don't want kids to be able to access, like porn or whatever.
Then go into general > setup
put the dns setting for dyndns into DNS servers list. For dyndns its 184.108.40.206 and 220.127.116.11
Also un-check the "Allow DNS server list to be overridden by DHCP/PPP on WAN" box to allow your settings to take effect on all computers on your LANs.
dyndns uses barracuda filtering for dns, so it should make a good compliment to a system running squid and dansguardian or for people who have systems with not enough processor for those things.
There. Now you have content filtering by barracuda on your PFsense and everything attached to it (presuming they don't modify their computer's DNS settings by hand to circumvent). Can be used in tandem with squid and Dansguardian to give more fail safe protection.
You can then go to this site to see if this is working for all your computers:
(I decided its best to list only 18.104.22.168 and 22.214.171.124 in the general config for this to work well because even if the google servers are listed below the dyndns servers, if google resolves even ever so slightly faster on occasion, it will bypass your filtering. So, make sure that 126.96.36.199 and 188.8.131.52 are the only servers you list if you intend to go with dyndns.)
or use OpenDNS, which has a ton of controls to set filtering however you like, and can even do temporary bypasses and such.
Thats also a great idea. Either will also catch "HTTPS"… Like webmail, https facebook and chats.
If you have a good guide, please post or I'll be forced to ACTUALLY do work to make this neat. (Not my strongest suit).
There's a big section on it in the book, not sure if we have another one up that's easy to find.
There are lots of Free Services. I kicked around the idea of using two DNS services. Setting one up to filter everything under the sun that might offend even the most "well I never" person on earth, and a second one that filters nothing much except malware sites (for us heathens).
Then having all the "kiddy computers" resolve using the first one and all us bad people can use the second one.
I know its easy to make aliases, but I don't see an easy way to have 1 alias use one set of DNS and have the second use another set.
I know its easy enough at the individual computers to do this, but I'd like to be able to do this on pfsense instead.
So, I went ahead and posted what is above which I know works.
I did a bit of a brain dump in this post: http://forum.pfsense.org/index.php/topic,63780.0.html - I think I'll have a play with that, as it could be useful to have computers in different categories of content-filtering.
Thanks for making me aware that DynDNS has a name-server based filtering system available. At $20/year for a 10-site account that seems very good value. I have about 10 sites with about 200 computers total behind them. The combination of DynDNS names for each site, Dynamic DNS update from pfSense, pointing DNS to the DynDNS servers, and blocking other DNS requests coming from LAN creates a way to cheaply and pretty-much effectively stop users from finding (accidentally or otherwise) sites that are inappropriate to work activities.
OpenDNS wants a business license that depends on the total number of computers behind all the public IPs. It has to be a bit of an honesty system, since because of NAT they don't actually know how many different private IPs/computers are on the private LAN at each site. But they can have a rough guess based on the volume of DNS queries (although that will be cached by the pfSense DNS forwarder…) A 200 computer agreement with OpenDNS is orders of magnitude more expensive.
Is there some fine print in the DynDNS offer that I have missed? That limits the amount of DNS traffic coming from each site or???
Would also be interested in a DNS filtering service which - unlike OpenDNS:
- does not hijack Google
- does provide proper NXDOMAIN for nonexistent domains
does not hijack Google?
Waits for explanation…
I think dyndns likes more users exactly as you described.
Their business model includes sending you suggestions for sites if you type-o, and if you chose one of their suggestions, they get paid. More users typo-ing = more pay, so I doubt they care if you load the world on there.
does not hijack Google?
Waits for explanation…
Set your DNS to OpenDNS and try nslookup/dig on google.com… :P They've been doing this for ages - they even had the balls to call out OEM vendors (HP, Dell and others) who had a contract with Google to set up their customized search page (via a preinstalled utility that could normally be uninstalled via Add/Remove programs - as also explained on that landing page), talking a lot of BS about how evil that is and how much better the OpenDNS guys are… ::) Yet they've been hijacking Google all the time, silently, without any optout.
Frankly, the OpenDNS thing is evil. Also see https://en.wikipedia.org/wiki/OpenDNS#Issues.2C_conflicts_and_Google_redirection
They may play with Google, but they do NXDOMAIN if you tell them you want it, they just default to not doing it. At least, last I looked, there was a checkbox to control that behavior when you were logged in.
I don't like doing DNS-based control anyhow, since it doesn't stop a particularly crafty user from using their own hosts file or similar. No method is perfect though.
Well through a rigorous selection process, weighing all the pros and cons (blind luck) I chose dyndns some time ago for myself. So my opendns account goes largely unused for now. But I do have this evil plan to use it this way.
An interesting issue with using these services from some ISPs here. e.g. we have a WiMax service, the antenna device supplied has a LAN side that we can set with a private IP (good). On the WAN side it gets DHCP and is allocated an address in 10.20.0.0/16 - private address space and not even "carrier-grade-NAT" space (that could have collided with an unfortunate use of private space on our own LANs - it breaks all the rules for an ISP to be using allocated private end-user address space). Then that gets NAT'd eventually to some public IP shared by loads of subscribers - e.g. 184.108.40.206
When I set my DynDNS from pfSense it (correctly) sees my public IP as 220.127.116.11 and registers that against the name I choose.
When I setup any internet name filtering, it matches against my public IP, which is also being used by lots of other subscribers.
I guess, if one of those other subscribers points to the DynDNS server, their name requests will be filtered using my rules.
If 2 subscribers both have DynDNS Internet Guide filtering setup, they will both come from the same public IP and it will be very difficult for the DynDNS server to decide which rule set to apply. (Same difficulties for OpenDNS or any other name filtering service that needs to detect where/who the request is coming from and apply custom filtering rules.)
Oh for the day when IPv4 is gone and we all have real IPv6 addresses and routing.
I almost bought IPV4RIP.com yesterday…. Its free.
Yes - You make an interesting point. The scenario I envisioned is trying to control content filtering for an entire office of people who are not installing software (such as a dns updater) or house full of kids, or perhaps a school or some other scenario where you lock down the user privileges so they can't install whatever pops into their tiny little brains.
In your proposed scenario my solution is broken for sure.
Your solution still works - it sometimes might work for an even wider audience than planned.
My real office users have desktops in the domain, or laptops for which they do not have admin privilege. So they can't change their allocated DNS server and can't add 1,000 naughty name/address pairs to their hosts file. All DHCP for allowed/known devices are static mapped. General devices in the DHCP pool get addresses in a range that has internet access blocked. When someone arrives with a new allowed device they have to get the WiFi password, connect, then we find them in the DHCP pool and static map them to their proper allocated address. Of course, someone can connect by cable to a real wall socket, set at suitable IP address and get access - but these days most people want to get their mobile device onto the WiFi, so they are stuck at step 1 getting the WiFi password.
I block any TCP+UDP to port 53 !LANaddress - then people with personal devices can set whatever DNS server they like, all the ones other than the one provided on the pfSense will simply not respond/work.
These people with personal devices could still load up a hosts file with a list of naughty site names and IP addresses that they get from somewhere, but they know the organisation policy and that there would be big trouble if they were caught going to those lengths to access prohibited material.
For me, the DNS provider filtering option is quite effective, simple to use and cheap!