Content Filtering with Authentication to Bypass Rules?



  • Hi, all.

    Newcomer to this particular forum, but a 20 year veteran of Linux and its various add-ons. I have two "servers" in my house now providing a variety of different services to the network. I've decided to remove "Internet gateway" from my main server and push that to a dedicated box.

    I need content filtering (squid + squidguard were in use on the old gateway machine) because of the little ones. But, I also need an easy way to turn it off when necessary. There's a shared desktop machine in the house that I sometimes use, and I wouldn't want to bypass the filter on that machine and have it leave the gates open if one of the kids uses the machine after I do (so, pure IP or MAC bypass wouldn't work).

    For the devices that are fixed to the house, configuring a proxy server so that authentication can be used is reasonable. The auto proxy configuration via DNS and a proxy config file has not been very reliable for me. I have a laptop (Mac) that needs to connect to customer networks easily, two different phones, and an iPad that can go in and out of the house at any time. There are additional phones and iPads in place and I also have friends / relatives that would potentially need access while they're in my house.

    Does anyone have a working guide for the 2.1.5-Stable release that would help me get this all set up? Additionally, I can absolutely leave Squid/Squidguard running on my main server, I can add captive portal there as well, or I can run any portion of it directly on the pfSense box.

    Any assistance would be greatly appreciated.



  • This is a good place to start for the addons, the packages forum https://forum.pfsense.org/index.php/board,15.0.html

    In the packages available on 2.1, I can see Squid (stable 2.7.9 pkg v.4.3.4) and Squid3 (beta 3.1.20 pkg 2.1.1), using the forum search and google usually throws up relevant info to help me achieve what I'm after.

    On the point of having a proxy server, with security becoming more of a focal point, would having a proxy server be of much use if some of the traffic is going to be encrypted?

    I'm assuming you'll have some sort of wifi access, so as some devices will be permanent as well as guests devices, maybe an alternative approach to some network security might be setting up a captive portal? You can cover all your bases and even charge strangers for your wifi access ifs located in a populated location.

    https://doc.pfsense.org/index.php/Captive_Portal

    http://www.youtube.com/watch?v=O9D2fM883Fc

    You can do an awful lot with pfsense so if you have some idea of your ideal setup it should be possible. You could have your lan on one ip address range and your wifi access point/router plugged into a 2nd nic on pfsense with a different range, or you could just simply plug the wifi access point/router into your lan and not isolate the traffic that way.

    If you want content filtering for your kids, have you also looked at say Snort and Suricata for what the content filtering doesnt cover?

    Do you want to restrict net access to some devices depending on the time of day and day of week?

    Do you want to remote access onto your network, if so any preference over ipsec or vpn as another example?

    One tip, it can be worth setting up a virtual pfsense with vmware or virtualbox.org to test things out before deployment, especially with the snapshot feature. If you mess anything up, rolling back one or two snapshots is quicker than doing a reinstallation from scratch with or without backups.



  • Thanks for the response.

    I'm familiar with Squid2 and Squid3 - which one to use on pfSense is a bit unknown since the ver3 package states that it's BETA and BOTH versions of squidGuard say they're BETA.

    As far as encrypted traffic goes - yes it's still valid to proxy if you're using Squid3 and the SSLBUMP feature (which allows you to decrypt the SSL traffic).

    To be very direct - I've found the documentation and HOWTO's for this product to be very lacking. They seem to be versions behind the actual software packages, and it makes it very confusing to understand how to configure a current version when the options have changed from what's being shown in the documentation.

    What I'm describing is the essence of what DansGuardian offered for so many years. The project has largely stopped in development although certain pieces of it are still being tinkered with. I believe the last release of the software was over two years ago at this point. So, I'm looking for a combination of products that can do that sort of control.



  • I dont use squid so I cant comment on the docs, but theres usually some good how-tos in the forums.

    The ssl bump is just a form of the man in the middle which is why I queried the use of a proxy for ssl, browsers will complain which some wont like, but if your happy with that, so be it.  ;)



  • @firewalluser:

    I dont use squid so I cant comment on the docs, but theres usually some good how-tos in the forums.

    The ssl bump is just a form of the man in the middle which is why I queried the use of a proxy for ssl, browsers will complain which some wont like, but if your happy with that, so be it.  ;)

    If you're aware of a good HOWTO that focused on a non-development version of Squid, I'm all for seeing it. Everything I have come across is either out-of-date compared to the current package, has you using BETA packages, or leveraging pay-for subscription services like Diladele for the content filtering. It would be nice if there were actual documents for the current stable versions of packages that had accurate information in them.



  • When is software not in development?

    I'd pick a version and see how good or bad it is, dont be deterred if its been called developmental because I know some developers who always err on the side of caution, whilst others will rush something out and call it gold straight away.

    Some of the stuff might require editing of the files directly on disk to get it configured or working  but there isnt much I have not been able to get to work when using pfsense, although I do spend more time editing files on disk now than I used to, to overcome restrictions in the gui.



  • So here is what I do… I'll describe it and if you think any of it would be helpful I could probably package it up and send it to you. My setup is using Dansguardian with forwarding rules to transparently proxy.

    1.) Rules to forward an alias (defining sets of IP addresses) to DG. This allows me to setup IP addresses that do not get forwarded for things like the XBox, Roku's, etc. Obviously, I also setup all devices that connect to the network with a static address - which also allows me to track activity by address (in the DG logs). For ease of tracking and in order to implement things like "time restrictions" by user, I assign devices for each user to a specific IP range.

    2.) I have a custom set of IPFW rules that make sure the MAC/IP combinations I have set are not hijacked by another MAC. I wanted to allow non-static defined devices to connect (they get a DHCP assigned address), but this keeps anyone from statically assigning themselves an IP that is not forwarded to the filter. I auto generate the rules using a script that reads the static assignments from DHCP. I've made changes to the DHCP page and the captive portal setup scripts to run my script (which loads the IPFW rules) whenever you "save". I don't actually use the captive portal - I just turn it on in order to activate the IPFW firewall - the rules created by my script simply skip the normal captive portal rules.

    3.) I have a custom "bypass" page that DG displays when it hits a blocked site. If you enter a valid bypass password, it adds your IP to an alias for addresses that do not get forwarded to DG. Another script (executed every 2 minutes via cron) removes the address after 15 minutes. End result is you enter a valid password and you can bypass DG for 15 minutes. It has a custom password file but also checks for ids/passwords stored in the pfSense config.xml file.

    Let me know if you want any of this... I've posted some of it on other threads, but I could also package it up for you (or describe how to do it) if you are interested.



  • rjcrowder:

    I'm intrigued. Some questions:

    • What version of pfSense are you running?
    • What version of pfSense did you begin doing this with?
    • Do you leverage Squid at all?
    • I was under the impression that DansGuardian was effectively no longer being developed. Isn't that the case? What happens when the site comes down and the software can't be had any longer?


  • @ember1205:

    • What version of pfSense are you running?

    Currently running 2.1.5 at home. However, I've started converting all my stuff to 2.2 as well. I have a set of scripts that do a whole bunch of stuff on top of the base install such as adding my custom scripts, patching some of the UI screens, etc. I've even create a "stripped down" and renamed version of pfSense for home use… I don't want to get into everything that it does (quite a bit if you want a purpose-built home filtering solution), but if you want to check it out I've started a manual which is here https://dl.dropboxusercontent.com/u/55672566/User%20Manual/Manual%20v0.1.pdf

    @ember1205:

    • What version of pfSense did you begin doing this with?

    Started on 2.0 something… I've kept it up to date across versions without much hassle.

    @ember1205:

    • Do you leverage Squid at all?

    The only reason I use Squid is because it is necessary for DansGuardian - squid "cacheing" is disabled. At one point I had squid configured for cacheing, but I didn't feel like I was getting any advantage from it (at least at my house) and browsing feels faster now that I've disabled the cacheing.

    @ember1205:

    • I was under the impression that DansGuardian was effectively no longer being developed. Isn't that the case? What happens when the site comes down and the software can't be had any longer?

    Unfortunately I think that is true. However, I believe it is still being compiled and can be installed via the package manager under FreeBSD. As long as that is the case I think it is safe to use it. Someone else has taken over development and renamed it to "e2guardian". You can google it and find the development site. I've exchanged emails with him a few times (he has posted on here as well), but I don't know how much traction he's getting around having people adopt it.



  • Not trying to hijack this thread but @rjcrowder I'm interested in #2, your IPFW setup. I came across another thread where you shared your DG ByPass page.. Nice work! I had to make some tweaks to it for my box but so far it is working nicely on my dansguardian transparent only access vlan (KidsNet).



  • See this thread https://forum.pfsense.org/index.php?topic=71198.msg403630#msg403630. I've made a few changes since… take a look and let me know if you're interested and I can post updates on the old thread...