Hi Vollmer,
Thank you so much for taking time to share your ideas.
As I can see, PFS offers an intuitive web interface, but SSL filtering
features Mia be configured in a specific mode.
It looks like I should use PFS only as a firewall and DNS resolver, and
setup independently DHCP and Squid.
May be Squid/Squidguard in a "solo-mode" are less complex to setup to
filter SSL. Or I should find a different alternative for Proxy/SSLFiltering.
Does this make sense?
Regards.
José G.
On Mon, May 8, 2017 at 9:39 PM Volker Kuhlmann
wrote:
> On Tue 09 May 2017 03:34:06 NZST +1200, José Gregorio Díaz Unda wrote:
>
>
>
> > Has somebody setup well SSL Filtering in PFSense?
>
>
>
> Yes, or at least I tried to.
>
>
>
> Because there are substantial problems with MITM methods I tried simpler
>
> URL filtering. It looks like that'd be sufficient for you.
>
>
>
> Configure browsers with an appropriate proxy script to use pfsense:3128
>
> for both http and https as proxy. Squidguard can only filter on the host
>
> part of the URL for https, because the rest is hidden by ssl.
>
>
>
> Transparent mode is a disappointment, because it does not ensure traffic
>
> goes through squid/squidguard, as you observed. Pfsense is also
>
> fail-unsafe(!) - any issue with squid or sqidguard bypasses the proxy,
>
> disabling all filtering, which I find rather unsatisfactory. Or whatever
>
> the exact reason is some traffic bypasses squid/squidguard, I haven't
>
> found it yet. Turning transparency off and inserting a block rule for
>
> direct http/https seems to be safest.
>
>
>
> Also, squid bypasses squidguard when it detects a malfunction with it -
>
> OK for a cache, pretty much no good for a filtering proxy implementing
>
> policies.
>
>
>
> There are bugs in the handling of filter expressions in squidguard,
>
> allowing some URLs to pass that should be blocked! Plus the SG config
>
> file generation in pfsense is broken (creates illegal/non-functional
>
> configs), but no-one was interested in fixing it although I submitted a
>
> patch years ago.
>
>
>
> It'd also be handy if pfsense was able to serve the browser proxy script
>
> and squidguard error pages, but in the desirable configuration it's not,
>
> though serving the error pages does seem to work partially anyway.
>
>
>
> HTH,
>
>
>
> Volker
>
>
>
> --
>
> Volker Kuhlmann is list0570 with the domain in header.
>
> http://volker.top.geek.nz/ Please do not CC list postings to me.
>
> ___
>
> pfSense mailing list
>
> https://lists.pfsense.org/mailman/listinfo/list
>
> Support the project with Gold! https://pfsense.org/gold
>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
