OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: abel408 on June 28, 2016, 09:41:26 pm
-
Hello all!
I'm trying out OPNsense for use at a school. Our current content filtering is done by Dansguardian. e2guardian is the new fork. I'm done some searches and saw the e2guardian has been requested before. I'm looking for a guide on how to set it up with OPNsense.
Here are the 2 previous forum posts about e2guardian:
https://forum.opnsense.org/index.php?topic=364.0
https://forum.opnsense.org/index.php?topic=1551.0
Franco says that "pkg add e2guardian" should bring it to the system, but it does not on version 16.1.17
I've installed it with this command:
pkg add http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/e2guardian-3.0.4_1.txz
I've also found a port for e2guardian here: https://github.com/opnsense/ports/tree/master/www/e2guardian
But I'm not sure what to do from here. I don't see any lists or config files. Here are instructions on how to manually install it to pfsense: http://knes1.github.io/blog/2015/2015-07-18-manually-installing-e2guardian-to-pfsense.html
Any way we could bring this to the gui? If not, how can I configure it? Where are the config files located?
-
Hi abel,
The dans/e2 path has been abandoned with 16.1 as we've added remote list management to the proxy server itself. It works on URL files, compressed or uncompressed and can select specific categories / files within compressed files if the full file is not appropriate for your use case.
Here's our web filter tutorial: https://docs.opnsense.org/manual/how-tos/proxywebfilter.html
Cheers,
Franco
-
Thanks Franco,
A couple questions... I've set this up already. Is this just squid? Does it inspect content? Is there a way to add a url that might not be included in these lists?
Also, is there anyway to filter SSL without implementing a mitm CA? Not looking to inspect content of ssl pages, but it would be nice to block known explicit https web sites. My goal is to create just a transparent filter without installing a private CA to all browsers.
Thanks again!
-
Hi abel,
You're welcome. :)
Yes, just squid with a bit of automated management.
Under Forward Proxy tab, sub-tab Access Control Lists you can add:
o Allowed Subnets
o Unrestricted IP addresses
o Banned host IP addresses
o Whitelist
o Blacklist
Where the whitelists or blacklist is probably what you want. See the help text for further details. You can put e.g. your hostnames there.
And you can filter SSL in OPNsense without MITM using:
o Appropriate alias files for hosts/IP firewall block rules on e.g. port 443 (Firewall: Aliases: Import)
o Intrusion detection in prevention mode (inline) with the help of SSL fingerprinting (Services: Intrusion Detection)
There is also a way to use the hostname from the SSL certificate (also using Intrusion Detection), but I don't think this was implemented yet.
Cheers,
Franco
-
Just to add another option: ICAP
If you do not use a CA, you will get at leaset the CONNECT requests from the proxy and it is possible to modify them.
You can use ICAP to filter content but I would not recommend it to be used as a simple URL filter as it would be a bit overpowered for this use case and squid does already provide that (see Franco's post for information about how to do that in OPNsense).
-
Thanks for the help guys.
In the past, we've always used an ICAP filter to inspect content (dansguardian), but perhaps squid with a good url filter list would be sufficient for us. We find that dansguardian blocks more acceptable content than unacceptable content anyway.
I had a question about SSL filtering without a MITM CA. I'm a little confused about intrusion detection. I've enabled it in services and enabled IPS mode, but I'm not sure how the rules work. For example, if I wanted to block a certain youtube video, but not youtube.com itself, how would I go about doing that? Youtube, of course, is HTTPS...
-
Any advice on the SSL URL Filter?
-
You cannot see the URL when the user is using TLS because it is part of the request line: https://tools.ietf.org/html/rfc2616#section-5.1