Web filter - what can I do with pfsense?



  • Hello,
    i'm considering to switch my firewall to a PC machine with pfsense.
    I need some information about pfsense with squid like an hybrid proxy/firewall.

    First of all: do you suggest the union of proxy and firewall?

    I would like to get this result:

    • Log http and https connection storing transfer length, destination hostname and local ip or mac address

    • Filter hostname from a list of denied hostname or by regex rule

    • Do not use a connection configuration (transparent)

    • Do not decrypt https content and do not alter certificate exchange (man-in-the middle)

    • Optionally can be usefult to cache the http content.

    Seems that I can not use a standard transparent-proxy because of the 4 point, is there an alternative? I would like to use squid to filter (it can get a denied list of proxy and also to use regex rule to filter domain), but It can be good only for http and not for https.

    Thank you for your suggestions and support.



  • @tobiascapin:

    • Log http and https connection storing transfer length, destination hostname and local ip or mac address

    • Filter hostname from a list of denied hostname or by regex rule

    • Do not use a connection configuration (transparent)

    • Do not decrypt https content and do not alter certificate exchange (man-in-the middle)

    • Optionally can be usefult to cache the http content.

    Hi,

    Squid and SquidGuard will cover all of the points above.
    The SSL Interception is optional. As long as you leave the SSL Part disabled, there is no modification (and interception) of SSL traffic.

    SquidGuard is optional but nice to have if you want to use complex rules (e.g. complex Regex) and logging.

    Speaking of logging: All users should agree that you log there sessions.
    Due to the law in many countries. As an example: I'm from Germany and the German/EU law doesn't allow the logging of accessed URLs and other personal data. this is due to privacy protection. A valid workaround is to log the MAC Address and mask it in your reports.