2011/3/23 Michael Schuh <[email protected]>: > 2011/3/23 David Barbero <[email protected]>: >> Yehuda Katz <[email protected]> ha escrito: >> >>> On Wed, Mar 23, 2011 at 2:56 PM, David Barbero >>> <[email protected]>wrote: >>> >>>> Alberto Mijares <[email protected]> ha escrito: >>>> >>>>> Squid can not store in cache the content from https traffic; however, >>>>> you are still able to create ACL's to control the access to this >>>>> URI's. >>>>> >>>>> Check out your ACL. >>>>> >>>> >>>> Squid cannot stored and cannot filtering https connetions, when the >>>> client >>>> open a https conection the squid only make a tunnel from client to >>>> server, >>>> don't see anything of content or URL (Only see destination IP), the only >>>> way >>>> to block https connetions is filter by destination ip in pf or acl (I'm >>>> not >>>> sure if this work properly with squid acl), but squid o squidguard can't >>>> filter a SSL connection directly. >>>> >>> >>> That is absolutely wrong, Squid (with SquidGuard) in a TRANSPARENT >>> PROXY configuration can not filter https traffic. >>> If you are using explicit proxy settings in your browser, https (and just >>> about any other protocol) can be filtered. >>> As I said earlier in this thread, I have the exact configuration that the >>> original poster was looking for: >>> - SquidGuard filters according to a third-party blacklist of websites. >>> - All ports that are handled by Squid/SquidGuard, including 80 (http) and >>> 443 (https) are redirected by the pfSense (using a NAT rule) to an error >>> page explaining how to set up a proxy in different browsers. >>> - We are not using Squid for the purpose of caching, only filtering >>> (limited >>> hard drive space, otherwise we might) >>> >>> If anyone wants specific details about how to set up this configuration, I >>> might be able to help you as my time allows. >>> >>> - Yehuda >>> >> >> The thread talk of transparent proxy and I just talked about transparent >> proxy, so it is not wrong, that's right, if we put the direct proxy it would >> be wrong :P >> >> Cheers. >> >> -- >> "Linux is for people who hate Windows, BSD is for people who love UNIX" >> "Social Engineer -> Because there is no patch for human stupidity" >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> Commercial support available - https://portal.pfsense.org >> >> > > squid is naturally not a content filter/blocking system, even if you > can block sites/IP's and ports or any combination with him ;-) > squid can block https access to specific sites and generally to the https > ports > > another question in this schema: "how secure would https be, if you > can transparent proxying it and hunt a content filter on it?" :O > > i suggest the extended use of the all knowing oracle "google" > > for a bit fun: > put *.facebook.com into your dns-masquerader and lead him to the > internal IP of the firewall > or to 127.0.0.1 :D (* -> www, or whatever else, i am not aware if the > dns-forwarder can match wildcards) > Deny all other DNS beside the access to the firewall. > > regards > > -- > = = = http://michael-schuh.net/ = = = > Projektmanagement - IT-Consulting - Professional Services IT > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0175/5616453 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > = = = Ust-ID: DE251072318 = = = >
another quick idea i still got right yet: use snort and put some fitting rules into it for blocking facebook ( or also other community sites) generally iirc it should be able to get configured to handle this -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
