Block https



  • Hello to all

    So I managed to integrate Dansguardian and squid3 …

    I managed to block sites that I post in the ACL list dansguardian but I can not block sites in https

    Blanket SSL / CONNECT Block. To block all SSL

    and CONNECT tunnels except to addresses in the

    exceptionsitelist and greysitelist files, remove

    the # from the next line to leave only a '** s':

    s **
    facebook.com

    but not block facebook

    wondering if anyone has solved this problem?
    I have already seen on the internet guides to block facebook via IP but I'm not interested in this solution

    Thanks to all



  • If you want to block SSL sites using dansguardian, you will need to set dansguardian as an explicit proxy in your browser (or use a wpad file).  You can transparently redirect for https. If you do that, https blocking should work.

    The other options…
    1.) Create dns overrides (on the dhcp page) to some bogus address
    2.) Use a DNS service like OpenDNS and put your blocks there.
    3.) Install your own DNS server (bind package) and create DNS block or redirect rules.



  • Hello and thanks for the advice

    I've tried using OpenDNS but I have seen that if a client sets its own dns in the parameters of the network card lock does not work anymore

    In fact, putting as DNS of my network card dns 8.8.8.8 I go to https facebook

    Hello and thank you



  • @gio79:

    I've tried using OpenDNS but I have seen that if a client sets its own dns in the parameters of the network card lock does not work anymore

    Gee, if only there was a magic box that could block network access to DNS-servers that are not approved :)

    No, kidding aside, just create rules to block name requests to any other DNS server.

    Edit: I now see that rjcrowder actually stated this in item 3 of his post.



  • What? give me more information



  • @gio79:

    What? give me more information

    Create a rule that block traffic to port 53 if the destination address is not equal to the DNS-servers you actually want to use.



  • Since I have great familiarity can you tell me how to make it the rule?

    thank you very much



  • @gio79:

    Since I have great familiarity can you tell me how to make it the rule?

    thank you very much

    It is just a lan firewall rule… I do it with two rules (but you might get away with one). The first rule allows all internal addresses to the opendns name servers. You can create an alias for them. The second rule blocks all internal addresses from hitting port 53 external. Let me know if you don't get it... I could do a screen shot when I get home.



  • Thank you so much if you can just send me a screen shot



  • I actually did three rules… see the ones with "53 (DNS)"...

    ![Screenshot from 2014-04-17 22:47:56.png](/public/imported_attachments/1/Screenshot from 2014-04-17 22:47:56.png)
    ![Screenshot from 2014-04-17 22:47:56.png_thumb](/public/imported_attachments/1/Screenshot from 2014-04-17 22:47:56.png_thumb)



  • Hello

    I seem to have figured out how to read in various forums that I need to activate OpenDNS, or better to make a profile on OpenDNS and record my public IP, my company has a static IP so I have no problem in registering an account on OpenDNS …. but before doing so I arose a doubt, all the traffic of my public IP and therefore my company will go before the OpenDNS servers that will apply filters and then I will see the desired web page ... my doubt is all slow in navigation? taking into account that the clients of my company are about 500?

    hello and thank you very much



  • Only the DNS requests go to OpenDNS (instead of to your ISP DNS server, or Google DNS 8.8.8.8 8.8.4.4 or wherever you got DNS before).
    Once the pfSense has resolved the name to an address using OpenDNS, it gives it to the LAN client/s which then access the requested site by the IP address. That's how DNS works  ;)
    If you do like the rules posted above, which stop clients being able to set some DNS server themselves, then they can only get DNS resolution from pfSense and OpenDNS.
    Then you setup your account in OpenDNS, and your filtering rules/categories. And OpenDNS returns some address of a block page for sites that you decided to block.
    Users can get around this if they know the actual IP address of the site - they type it directly into their browser. But these days most sites of any use, and the ones you want to block, have so many links to other things on different servers that it is no longer practical for anyone to work just by IP addresses!



  • @gio79:

    Hello

    I seem to have figured out how to read in various forums that I need to activate OpenDNS, or better to make a profile on OpenDNS and record my public IP, my company has a static IP so I have no problem in registering an account on OpenDNS …. but before doing so I arose a doubt, all the traffic of my public IP and therefore my company will go before the OpenDNS servers that will apply filters and then I will see the desired web page ... my doubt is all slow in navigation? taking into account that the clients of my company are about 500?

    hello and thank you very much

    OpenDNS is definitely an easy way to accomplish what you want… and as Phil pointed out, the only traffic that goes there is to port 53 for DNS resolution.

    As I said before... there are also a couple of other options.
    1.) You could enter the addresses you want to "block" as "overrides" on the DNS page. just make the override go to some bogus address.
    2.) You could also setup your own DNS server (unbound is available as a package). You would block/redirect in the DNS server settings.



  • Hello would you give me more info to try to achieve these two options that you said?

    thank you very much



  • There's not much else I can tell you… for option #1, it is right on the bottom of the DNS forwarder page.

    For option #2 you would need to install the "Bind" package from the list of packages. I'm not an expert on how to setup "Bind", but I know you can have it forward resolution requests to another site/page.



  • ok thanks
    if I wanted to follow option 1 what should I do? could you give me more details? that is not clear to me where is the page of the dns forward

    thanks



  • Services/DNS Forwarder on the GUI… Bottom of the page has a spot where you can enter overrides.



  • You could give me a hand? Case ever with the screen shots

    thank you very much