Hi Vollmer, Thank you so much for taking time to share your ideas.
As I can see, PFS offers an intuitive web interface, but SSL filtering features Mia be configured in a specific mode. It looks like I should use PFS only as a firewall and DNS resolver, and setup independently DHCP and Squid. May be Squid/Squidguard in a "solo-mode" are less complex to setup to filter SSL. Or I should find a different alternative for Proxy/SSLFiltering. Does this make sense? Regards. José G. On Mon, May 8, 2017 at 9:39 PM Volker Kuhlmann <[email protected]> wrote: > On Tue 09 May 2017 03:34:06 NZST +1200, José Gregorio Díaz Unda wrote: > > > > > Has somebody setup well SSL Filtering in PFSense? > > > > Yes, or at least I tried to. > > > > Because there are substantial problems with MITM methods I tried simpler > > URL filtering. It looks like that'd be sufficient for you. > > > > Configure browsers with an appropriate proxy script to use pfsense:3128 > > for both http and https as proxy. Squidguard can only filter on the host > > part of the URL for https, because the rest is hidden by ssl. > > > > Transparent mode is a disappointment, because it does not ensure traffic > > goes through squid/squidguard, as you observed. Pfsense is also > > fail-unsafe(!) - any issue with squid or sqidguard bypasses the proxy, > > disabling all filtering, which I find rather unsatisfactory. Or whatever > > the exact reason is some traffic bypasses squid/squidguard, I haven't > > found it yet. Turning transparency off and inserting a block rule for > > direct http/https seems to be safest. > > > > Also, squid bypasses squidguard when it detects a malfunction with it - > > OK for a cache, pretty much no good for a filtering proxy implementing > > policies. > > > > There are bugs in the handling of filter expressions in squidguard, > > allowing some URLs to pass that should be blocked! Plus the SG config > > file generation in pfsense is broken (creates illegal/non-functional > > configs), but no-one was interested in fixing it although I submitted a > > patch years ago. > > > > It'd also be handy if pfsense was able to serve the browser proxy script > > and squidguard error pages, but in the desirable configuration it's not, > > though serving the error pages does seem to work partially anyway. > > > > HTH, > > > > Volker > > > > -- > > Volker Kuhlmann is list0570 with the domain in header. > > http://volker.top.geek.nz/ Please do not CC list postings to me. > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
