How To Block Any Website Using A PFSENSE Firewall.

Restricting access to websites is a common practice in many home and office environments. This may be due to the need to save internet data or to restrict access to social media, adult sites as well as many other types of websites and online services accessible from the internet. However most firewalls require you to purchase either a license key or a subscription prior to usage. If you do not have a budget or funds to purchase a firewall then PFSENSE is a good option for you. PFSENSE can be downloaded and used for FREE! and has the capability of blocking any website using features such as the PFSENSE dns resolver , firewall filter rules, and pfsense squidguard proxy  filter. This tutorial provides a guide on how you can block access to any website such as facebook / youtube or any other web application in your network using the DNS Forwarder & Resolver, Firewall rules and Squidguard features on a PFSENSE firewall

Requirements.

In order to complete this tutorial successfully the following items are required. Please ensure to have these items available before taking implementation action on this tutorial:
1) A desktop or laptop with Windows, MacOS or Linux Installed.
2) A web browser i.e firefox, safari or google chrome.
3) A PFSENSE firewall (virtual machine or physical appliance with atleast two network interface cards)
4) An internet connection

Overview

1)
2)
3)
4)

 

Introduction.

1) Filtering and blocking HTTP network connections is a simple procedure for a network firewall such as PFSENSE since HTTP connections are not encrypted. However most websites on the internet  including websites that most people wish to block use the HTTPS protocol for sending and receiving data. Services such as LETSENCRYPT permit anyone to obtain and set up a free SSL certificate for pretty much any website or web app. Whilst having a secure website is a good thing, it makes it difficult for network services such as a firewall to filter out HTTPS network traffic.  The good news is there are ways of filtering HTTPS traffic primarily through MAN-IN-THE-MIDDLE filtering and SERVER-NAME-INDICATION filtering.

MAN-IN-THE-MIDDLE Filtering

2)

SERVER-NAME-INDICATION Filtering

3)

Step One: Create An SSL Certificate Authority For SSL Interception.

4) In order to intercept and filter out HTTPS traffic, PFSENSE will use the MAN-IN-THE-MIDDLE filtering method. However an SSL Certificate Authority is needed. To create it go to “SYSTEM > CERT MANAGER > CAs”. 

Click on the “ADD” button, type in a name for the CA in the “DESCRIPTIVE NAME” text input box and select “CREATE AN INTERNAL CERTIFICATE AUTHORITY” on the “METHOD” drop down menu. Scroll down and click on “SAVE”. 

Step Two: Install The Squidguard Proxy Server Packages.

5) Start up the PFSENSE firewall, open up your favourite web browser and browse to the PFSENSE web configurator.

Enter your administrator login credentials on the login page. From the web configurator dashboard go to “SYSTEM > PACKAGE MANAGER” and select the “AVAILABLE PACKAGES” tab. Search for “SQUID” on the search bar and install the “SQUID” and “SQUIDGUARD” packages.

Step Two: Configure Squidguard To Work As A Transparent Proxy Server.

6) A transparent proxy server also known as a inline proxy, intercepting proxy, or forced proxy server is is a server that sits between a computer on a LAN and the internet. It forwards internet request made by the LAN computer and also sends internet responses back to the computer on the LAN network. However It is called “transparent” because it does so without making any changes to requests and responses unless configured to do so. A transparent proxy server has the advantage that there is no need to configure any network settings on
LAN computers. Transparent proxy servers are very usefull when there is a need to do content filtering on the network,  transaparent caching to improve network perfomance, traffic monitoring as well as network access authentication.

7) Now that the squid and squidguard packages have been installed, the next step is to configure them. Go to “SERVICES > SQUIDGUARD PROXY SERVER > LOCAL CACHE”. Set the amount of disk space to use for the cache on the “HARD DISK CACHE SIZE” input box. Enter 500MB scroll down and click on the “SAVE” button.

8) Select the “GENERAL” tab and click on the “ENABLE SQUID PROXY”check box. Select LAN on the “PROXY INTERFACE” setting and click on the “ALLOW USERS ON INTERFACE” check box.

9) On the “TRANSPARENT PROXY SETTINGS” section click on the “TRANSPARENT HTTP PROXY” check box and choose “LAN” on “TRANSPARENT PROXY INTERFACE(S)”

10) On the “SSL MAN IN THE MIDDLE” section click on the “ENABLE SSL FILTERING” check box and on the “SSL/MITM MODE” drop down choose the “SPLICE ALL” option. Select the “LAN” option on the SSL Intercept Interface(s) setting and choose the certificate authority created on step 4 on the “CA” drop down menu.

Scroll to the bottom of the page and click on “SAVE”

Step 3: Configure The Squidguard Proxy Filter.

11) The next step is to configure the squidguard proxy filter service and to download a blacklist. To do this go to “SERVICES > SQUIDGUARD PROXY FILTER”. Click on the “GENERAL SETTINGS” tab and click on the “ENABLE” check box. 

Do not click on the “APPLY” button as this will activate the squidguard service. The “APPLY” button should only be pressed after completing all the squidguard proxy filter configuration sections.

12) Scroll down to the “LOGGING OPTIONS” subsection and click on the “ENABLE LOG” and “ENABLE LOG ROTATION” check boxes. This will allow you to see what network traffic is being filtered and also automatically deleted logs to prevent the PFSENSE disk from filling up.

A Blacklist is a collection of URL’s grouped into several categories that can be used on URL filters such as Squidguard. On the “BLACKLIST OPTIONS” sub section click on the “BLACKLIST” checkbox to enable the blacklist feature and on the “BLACKLIST URL” text box type in the URL: http://www.shallalist.de/Downloads/shallalist.tar.gz 

Scroll down and click on the “SAVE” button.

13) Click on the “BLACKLIST” tab and you will see the blacklist URL that was added on the previous step. Click in rhe “DOWNLOAD” button and wait for the download and installation process to complete.

14) Next, click on the “COMMON ACL” tab and expand the “TARGET RULES LIST”. Scroll down to the “Default access [all]” entry and set the “ACCESS” option to allow.

To ensure that users on your network will not be able to bypass the squidguard proxy filter by simply typing in the IP address to the blocked website in the browser address bar click on the “DO NOT ALLOW IP ADDRESSES IN URL” checkbox.

Click on the “USE SAFESEARCH ENGINE” check box and set the “REWRITE” option to “SAFESEARCH” then click on the “SAVE” button.

On the “TARGET RULES LIST” there is a list of website categories and options to either DENY or ALLOW access. This is an efficient way of blocking websites as you do not have to block the specific URL but just the category of the website. For example to block access to adult websites simply scroll to the “[blk_BL_porn]” entry and set access to deny.

15) To block the specific URL of a  website such as FACEBOOK.COM or YOUTUBE.COM click on the “TARGET CATEGORIESS” tab and click on “ADD”. 

Type in a name for the TARGET CATEGORY as well as the domains that you wish to block. Scroll down and add a description for the target list. Click on the “LOG” check box if you wish to keep logs for the blocked domains and click on “SAVE”

16)