pfSense 2.3.1 Security : Explicit Squid Proxy, WPAD, SquidGuard, Lightsquid, and Static ARP (Part 2 of 2)

Installing SquidGuard

Go to System > Package Manager > Available Packages then click  + Install  aligned with SquidGuard. Then click Confirm.




When the package installation succeeds, do not Enable the SquidGuard service yet but go to Services > SquidGuard Proxy Filter > Target Categories. Add a CustomDeny category then place the domains you want to block manually in the Domain List box. Then put "proxy|\.exe|\.mp4|\torrent" in the Regular Expression box to block sites with proxy or torrent in the url as well as block downloading of files ending with .exe or .mp4. extensions. Tick the Log option at the bottom to log denies made through this category then  Save  the custom category. You can also do this again to create your own custom whitelist or any category that you may require.


Visit squidguard.org then choose a blacklist provider. I prefer the Shalla's Blacklists among the free blacklists. Right click the download icon then choose Copy link address. Now go to General Settings tab then set all Logging options to enable by ticking Enable GUI logEnable log and Enable log rotation. Tick the Blacklist option then paste Shalla's blacklist download URL to the Blacklist URL entry then  Save .






Go to the Blacklist tab then click  Download  then wait until the download completes.



When done, go to Common ACL then expand the Target Rules List. Set deny option for CustomDeny and set allow to Default access [all]. You can set the other categories to your preferred permission between deny, allow and whitelist. The sample here shows the list from urlblacklist.com. Tick the Log option then  Save .



You can also create groups at Groups ACL with different accesses. You can also set a schedule for the groups by creating schedules in the Times tab. After setting up, go to General Settings tab then tick Enable and click Apply. Click Apply again for any changes made in SquidQuard to apply changes.



Now website filtering works. We need to apply strict Firewall rules. Go to Firewall > Rules > Lan again then click the pencil or edit your Default allow LAN to any rule. Set the Destination to any and change the Description to Default allow LAN to LAN rule to remind you then click Save. Click Apply Settings. You can also notice here that I removed my IPv6 default rule.




In this way, all traffic must now pass through the proxy.

DHCP and ARP

To increase the level of security internally, you can go to Services > DHCP Server > Lan then register all MAC addresses of all devices and set their own IP. After completely registering only the devices that are allowed in your network, tick Deny unknown clients and Static ARP. With this setup, any unit who tries to connect will not be recognized by the firewall. Any changes or manual change in the network settings of the devices will also block that device from the firewall.




PROXY Bypass

By registering all devices, IPs will now be assigned for specific devices. Therefore, logs showing IP addresses can easily be tracked to devices using the DHCP registry. This also enables pfSense to allow certain IPs to bypass the proxy. You can do this by creating an alias first. Go to Firewall > Aliases then add an alias. Place a recognizable name like "bypasslocalips" then add all IPs you want to bypass the proxy.



Next, edit your PAC files by adding the IP you wanted bypassed.

function FindProxyForURL(url, host) {
  if (myIpAddress() == "192.168.1.5" || myIpAddress() == "192.168.1.6") return "DIRECT";
  if (isPlainHostName(host) || shExpMatch(host, "192.168.1.*")) return "DIRECT";
  return "PROXY 192.168.8.1:3128";

}

You also need to add a firewall rule to allow LAN to any traffic since we have restricted LAN to pass to LAN only. Create the rule with a Pass action for Source of alias "bypasslocalips" and Destination of any.



You can also bypass proxy for hosts by creating a pass rule for an alias "allowedhosts". Create the alias first then add the hosts to your CustomWhitelist category in your SquidGuard Proxy Filter.




You now have a comprehensive Network Security. Now all you need is a good reporting tool to easily manage logs. Install Lightsquid to create reports or monitor the proxy live. Leave a comment or contact me for any inquiry that I may help.



Comments