Re: [pfSense] About SSL Filtering: Squid and Squidguard.

2017-05-15 Thread José Gregorio Díaz Unda
Hi Volker and thanks for your guidance.

I'm trying to avoid "MITM filtering" and Transparent-mode. I've read there
are problems with MITM when clients access bank sites.

As you said, keep the proxy and firewall separated is a better choice.
These service must be 100% controlled and sometimes this web interfaces
hide processes.

Thank again!

José G.




On Fri, May 12, 2017 at 3:05 AM, Volker Kuhlmann <hid...@paradise.net.nz>
wrote:

> On Tue 09 May 2017 23:14:37 NZST +1200, José Gregorio Díaz Unda wrote:
>
> > It looks like I should use PFS only as a firewall and DNS resolver, and
> > setup independently DHCP and Squid.
>
> The DHCP server in pfsense is very good. With squid and squidguard I am
> less than impressed. It is more secure to run a web proxy on a different
> host than the firewall. If you want MITM filtering, pfsense is probably
> the easiest to set up because theoretically it's only a few clicks. I
> think there was a package for getting letsencrypt certs, if you trust
> them, you don't then need to import certs into all your clients.
>
> > May be Squid/Squidguard in a "solo-mode" are less complex to setup to
> > filter SSL. Or I should find a different alternative for
> Proxy/SSLFiltering.
>
> The best choice depends on what you want. The pfsense squidguard
> interface is not a time saver, some short strategic scripts in your own
> setup will probably be way faster in the long run.
>
> Volker
>
> --
> Volker Kuhlmann is list0570 with the domain in header.
> http://volker.top.geek.nz/  Please do not CC list postings to me.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] About SSL Filtering: Squid and Squidguard.

2017-05-11 Thread José Gregorio Díaz Unda
Hi WebDawg,

Yes, I did. In fact, I found it was required to create a couple o firewall
rules, based on this info How to Block QUIC Protocol
<https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Block-QUIC-Protocol/ta-p/120207>
:

   1. Protocol: IPv4 UDP; Source: *; Port: *; Destination: *; Port: *80*;
   Gateway: *
   2. Protocol: IPv4 UDP; Source: *; Port: *; Destination: *; Port: *443*;
   Gateway: *


During my research, I found there is a fork of PFSense named OPNsense which
apparently resolves a lot of issues.

I'll give it a try.

Thanks for all your help.

José.







On Tue, May 9, 2017 at 10:12 PM, WebDawg <webd...@gmail.com> wrote:

> On Mon, May 8, 2017 at 6:58 PM, José Gregorio Díaz Unda <
> jgdiazu...@asyste.cl> wrote:
>
> > Update:
> >
> > Before I left the office, decided to test from another laptop.
> > Unfortunately, I was able to access YouTube.
> >
> > Why some machines access YouTube and others apparently are blocked?
> >
> > What could I be missing?
> >
> > Thanks in advance.
> >
> > José G.
> >
> >
> >
> Did you look into what I said about chrome? and http over udp?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] About SSL Filtering: Squid and Squidguard.

2017-05-09 Thread José Gregorio Díaz Unda
Hi Vollmer,

Thank you so much for taking time to share your ideas.

As I can see, PFS offers an intuitive web interface, but SSL filtering
features Mia be configured in a specific mode.

It looks like I should use PFS only as a firewall and DNS resolver, and
setup independently DHCP and Squid.

May be Squid/Squidguard in a "solo-mode" are less complex to setup to
filter SSL. Or I should find a different alternative for Proxy/SSLFiltering.

Does this make sense?

Regards.

José G.





On Mon, May 8, 2017 at 9:39 PM Volker Kuhlmann <hid...@paradise.net.nz>
wrote:

> On Tue 09 May 2017 03:34:06 NZST +1200, José Gregorio Díaz Unda wrote:
>
>
>
> > Has somebody setup well SSL Filtering in PFSense?
>
>
>
> Yes, or at least I tried to.
>
>
>
> Because there are substantial problems with MITM methods I tried simpler
>
> URL filtering. It looks like that'd be sufficient for you.
>
>
>
> Configure browsers with an appropriate proxy script to use pfsense:3128
>
> for both http and https as proxy. Squidguard can only filter on the host
>
> part of the URL for https, because the rest is hidden by ssl.
>
>
>
> Transparent mode is a disappointment, because it does not ensure traffic
>
> goes through squid/squidguard, as you observed. Pfsense is also
>
> fail-unsafe(!) - any issue with squid or sqidguard bypasses the proxy,
>
> disabling all filtering, which I find rather unsatisfactory. Or whatever
>
> the exact reason is some traffic bypasses squid/squidguard, I haven't
>
> found it yet. Turning transparency off and inserting a block rule for
>
> direct http/https seems to be safest.
>
>
>
> Also, squid bypasses squidguard when it detects a malfunction with it -
>
> OK for a cache, pretty much no good for a filtering proxy implementing
>
> policies.
>
>
>
> There are bugs in the handling of filter expressions in squidguard,
>
> allowing some URLs to pass that should be blocked! Plus the SG config
>
> file generation in pfsense is broken (creates illegal/non-functional
>
> configs), but no-one was interested in fixing it although I submitted a
>
> patch years ago.
>
>
>
> It'd also be handy if pfsense was able to serve the browser proxy script
>
> and squidguard error pages, but in the desirable configuration it's not,
>
> though serving the error pages does seem to work partially anyway.
>
>
>
> HTH,
>
>
>
> Volker
>
>
>
> --
>
> Volker Kuhlmann is list0570 with the domain in header.
>
> http://volker.top.geek.nz/  Please do not CC list postings to me.
>
> ___
>
> pfSense mailing list
>
> https://lists.pfsense.org/mailman/listinfo/list
>
> Support the project with Gold! https://pfsense.org/gold
>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] About SSL Filtering: Squid and Squidguard.

2017-05-08 Thread José Gregorio Díaz Unda
Update:

Before I left the office, decided to test from another laptop.
Unfortunately, I was able to access YouTube.

Why some machines access YouTube and others apparently are blocked?

What could I be missing?

Thanks in advance.

José G.




On Mon, May 8, 2017 at 7:20 PM José Gregorio Díaz Unda <jgdiazu...@asyste.cl>
wrote:

> Hi Web and thanks for your help,
>
> Recently I've updated to:
>
> *2.3.4-RELEASE (i386) *
> *built on Wed May 03 15:22:11 CDT 2017 *
> *FreeBSD 10.3-RELEASE-p19*
>
>
> And my packages for content cache/filtering:
>
> *squid 0.4.36_3*
> *squidGuard 1.16.2*
>
>
> I have selected *"Splice All"* for SSL/MITM Mode chich says: *"This
> configuration is suitable if you want to use the SquidGuard package for web
> filtering. All destinations will be spliced. SquidGuard can do its job of
> denying or allowing destinations according its rules, as it does with HTTP.
> You do not need to install the CA certificate configured below on clients."*
>
> Currently I have Transparent HTTP Proxy mode enabled. However, I
> uninstalled the local SSL certificate pinned in Firefox.
>
> After enabling HTTPS/SSL Interception, I created a couple of rules:
>
>1. In Domain List box I wrote: mega.cl;
>2. A Target Group named "stream_de_video" and inside "Regular
>Expression" box wrote "youtube".
>
>
> Then, I did some tests with Firefox and had these results:
>
>1. http://youtube.com -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>2. http://www.youtube.com -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>3. https://youtube.com/ -> *"Secure Connection Failed: An error
>occurred during a connection to youtube.com <http://youtube.com>. SSL
>received a record that exceeded the maximum permissible length. Error code:
>SSL_ERROR_RX_RECORD_TOO_LONG"*
>4. https://www.youtube.com/ -> *"Secure Connection Failed: An error
>occurred during a connection to youtube.com <http://youtube.com>. SSL
>received a record that exceeded the maximum permissible length. Error code:
>SSL_ERROR_RX_RECORD_TOO_LONG"*
>5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>7. https://www.mega.cl/ ->
> *"Secure Connection Failed: An error occurred during a connection to
>youtube.com <http://youtube.com>. SSL received a record that exceeded the
>maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG" *
>
> I don't understand why 3 and 4 are not matching with the target group, but
> apparently youtube it's being blocked when the browser is Firefox. By the
> other hand, mega.cl as domain is being blocked with as SSL and non-SSL
> traffic.
>
> However, when I do the same tests using Google Chrome there is a different
> history:
>
> *Using an Incognito Window: *Apparently everything is blocked
>
>
>1. http://youtube.com -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>2. http://www.youtube.com -> *Chrome redirects to a
>https://www.youtube.com <https://www.youtube.com> site and the error says
>"www.youtube.com <http://www.youtube.com> sent an invalid response.
>ERR_SSL_PROTOCOL_ERROR"*
>3. https://youtube.com/ -> *The error says "youtube.com
><http://youtube.com> sent an invalid response. ERR_SSL_PROTOCOL_ERROR"*
>4. https://www.youtube.com/ -> *"Secure Connection Failed: An error
>occurred during a connection to www.youtube.com <http://www.youtube.com>.
>SSL received a record that exceeded the maximum permissible length. Error
>code: SSL_ERROR_RX_RECORD_TOO_LONG"*
>5. http://mega.cl/ -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>6. http://www.mega.cl/ -> *"Request denied by pfSense proxy: 403
>Forbidden" (Matched with stream_de_video target group)*
>7. https://www.mega.cl/ -> *"www.mega.cl <http://www.mega.cl> sent an
>invalid response. ERR_SSL_PROTOCOL_ERROR" (Because mega.cl <http://mega.cl>
>does not use a SSL certificate)*
>
>
> *Using my "Normal Window"* (Non-Incognito): I access Youtube via SSL
>
>
>1. h

Re: [pfSense] About SSL Filtering: Squid and Squidguard.

2017-05-08 Thread José Gregorio Díaz Unda
.cl/ -> *"Request denied by pfSense proxy: 403
   Forbidden" (Matched with stream_de_video target group)*
   7. https://www.mega.cl/ -> *"www.mega.cl <http://www.mega.cl> sent an
   invalid response. ERR_SSL_PROTOCOL_ERROR" (Because mega.cl <http://mega.cl>
   does not use a SSL certificate)*


After you mention QUIC, I did some research and found this: How to Block
QUIC Protocol
<https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Block-QUIC-Protocol/ta-p/120207>

Apparently, I have to setup a firewall rule to block all UDP traffic for
80/443. So, I created a new rule in Firewall section for LAN which
basically says:


   1. Protocol: IPv4 UDP; Source: *; Port: *; Destination: *; Port: *80*;
   Gateway: *
   2. Protocol: IPv4 UDP; Source: *; Port: *; Destination: *; Port: *443*;
   Gateway: *


Now, when I try to access http://www.youtube.com with Chrome, it redirects
to https://www.youtube.com but apparently its blocked: *This site can’t be
reached. The webpage at https://www.youtube.com/ <https://www.youtube.com/>
might be temporarily down or it may have moved permanently to a new web
address. ERR_QUIC_PROTOCOL_ERROR*

Is that enough or do I have to consider anything else?

Thank you so much for your guidance.

José G.





On Mon, May 8, 2017 at 4:21 PM, WebDawg <webd...@gmail.com> wrote:

> There are interception modes.
>
> Peek
> Peek and splice
> And bump.
>
> So sqid:
>
> I do not have it in front of me right now but it sounds like you do not
> have the SSL proxy setup right.  Only one of those methods does not require
> a SSL cert to be installed on a client system.
>
> Also you have to deal with pinned certs in web browsersalso you have to
> deal with chrome udp protocals like QUIC that bypass the proxy entirely...
>
> It is either you have the proxy setup wrong or did not setup the sqid rules
> right.
>
> Web.
>
>
> On May 8, 2017 11:34 AM, "José Gregorio Díaz Unda" <jgdiazu...@asyste.cl>
> wrote:
>
> Dear PFSense crew,
>
> I'm not sure if this is the right place to post my issue. If not, please
> let me know.
>
> Has somebody setup well SSL Filtering in PFSense?
>
> I have installed:
>
> PFSense 2.3.3_1
> squid 0.4.36_3
> squidGuard 1.16.1
>
> Transparent Mode
>
>
> I just want to block Youtube (ssl) for certain group of users via alias,
> but when Squiduard is enabled, any SSL traffic is blocked.
>
> This is a basic task but unfortunately it has been impossible to make it
> work.
>
> Thanks in advance.
>
> José G.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] About SSL Filtering: Squid and Squidguard.

2017-05-08 Thread José Gregorio Díaz Unda
Dear PFSense crew,

I'm not sure if this is the right place to post my issue. If not, please
let me know.

Has somebody setup well SSL Filtering in PFSense?

I have installed:

PFSense 2.3.3_1
squid 0.4.36_3
squidGuard 1.16.1

Transparent Mode


I just want to block Youtube (ssl) for certain group of users via alias,
but when Squiduard is enabled, any SSL traffic is blocked.

This is a basic task but unfortunately it has been impossible to make it
work.

Thanks in advance.

José G.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold