squid on opnsense for web filtering

Started by tommycat95, January 22, 2025, 11:34:00 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 22, 2025, 11:34:00 PM
I am trying to block all websites except a couple for a client that wants opnsense on it.  He has asked me to block all websites except two sites related to his business.  Considering that dns could return so many different IPs for any site, is squid able to do this type of web filtering or do I need research dns filtering?  This extreme blocking is the first time I am doing it for a site that can have upwards of 20+ computers and I am not sure there is a good solution to achieve that.  Anybody done such a thing?  Would appreciate the advise.  Thanks
January 23, 2025, 12:56:02 AM #1
Squid would by any means only filter based on DNS names as well. However, it would need traffic inspection (i.e. break up connections) to do that unless you also control the clients proxy settings. Since most web traffic is HTTPS these days, you would need SSL bumping and this in turn would need you to put the neccessary CA certificate on all clients. Which is infeasible for some devices.

But even if you did that, it is not even as easy as you think: Blacklisting is somewhat easy - whitelisting is not. I bet there are many URLs missing from your "two sites" that are needed for operation, like:

- Microsoft update sites (and there are lots!)
- Android update sites
- Apple updates sites

Not to speak of API URLs that may be used for business applications in your customers network. How will you find what URLs are really needed besides the two your customer thinks are neccessary?

You are most certainly going down a rabbit hole there.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions