pfSense Squid Tips~!

# Short Notes(Created By edwardjude/ejnetwork.wordpress.com)/(Squid 2.7 Stable Package)
~!To block All destination Domain (HTTP) and allow only specific sites (edit manually on squid.conf)
—————–
# acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex}
(To allow specific sites or domain with regular expression)
# acl all_dst dst 0.0.0.0/0.0.0.0 (To block all destination)
# http_access allow allowed_sites (Allow Rule for Defined ACL)
# http_access deny all_dst (Deny Rule for Defined ACL)
# deny_info URL_path_from_U all_dst (Deny Info page for Defined ACL)
—————–

~!To block download of some file extension (edit manually on squid.conf or edit from GUI in Custom Options)
—————–

 acl blockfiles url_regex -i URL_path_from_U 
 http_access deny blockfiles

—————-
Remark : When you create the file path, you need to edit of this $ expression in file.
(\.exe$)

Advertisements

Blocking Domains with Pfsense using DNS Forwarder~!

# Hi all! Long time no see. This article is really written by me!! 😀
# I’m gonna show you dns blocking with pfsense using DNS Forwarder Services…
# It’s like kids playing in the park. Anyone can do easily from WebGUI page from Pfsense Firewall.
# Ok! Now let’s do that ..
# You need Two options to do that ~!
# Firstly, you need to run services like dnsmasq service. Green status is up and running.
pfsense_services
# Secondly, You should make sure your LAN party DNS traffic redirect to your local DNS Forwarder Service.(Firewalling)
# This procedure will let you block DNS requests to servers that are off your network. This will let you force DNS requests from local clients to use pfSense’s DNS forwarder for resolution.
Firewall_rule
# It’s done. Now go to your pfsense WebGUI>Services>DNS Forwarder
# Pull down the page and you’ll see Domain Overrides Section.
# Now click the plus icon for edit domain override option.
Domain_Override
# Fill you want to block the domain name. Enter ! in the IP Address Field.
# Leave blank in Source IP Filed.
# Fill the description what you want to be.
# Click Save.
# Done~!

Sorry for my bad English~! I just want to share what I know. Greeting from Myanmar. Thank you All.

Edward Jude

Blocking Domains with PFSense using Bind~!

###################################################
This document is not written by me. I just only want to note and
share who want to learn. (ejnetwork)
Author is denoted under below!
##################################################
Blocking Domains with PFSense using Bind
Last Updated: 11/13/2013
By: Phillip Tarrant

Purpose:
The purpose of this paper is to show how to use Bind and PFSense to create a DNS blackhole.
This will allow the administrator to block any domain from users. This is very useful if one
wishes to block HTTP and HTTPS traffic to a domain. Squidguard is great for blocking HTTP,
however, since HTTPS traffic is encrypted Squid cannot block or filter this traffic. A DNS
blackhole is the most accepted way known to blocking the domain from any traffic (this includes
ALL ports)!

Requirements: You will need the following
PFSense box running PFSense 2.0+
Know how to install packages on PFSense and have access to do such.
Some general Internet/DNS Knowledge. (Not required, but helpful)
Active Directory Note:
If you need to use another DNS Server (such as a Windows Server running Active Directory).
Simply have the Windows Server use PFSense as the only forward in it’s DNS Configuration.
This will allow the Windows clients in the domain still be able to see domain resources and the
AD Controller, but still be filtered. Bind in this configuration will still seek and resolve any internet
domains not expressly configured in it’s zone settings. DNS calls will be cached on Bind and
resolve faster for you. It’s a Win/Win.
Note: No firewall rules are needed for this configuration. The clients need to use PFSense
Internal IP (LAN, OPT1 etc) as their DNS Server. Preferably the only DNS Server in their config.
After changing your clients config, you may need to flush any DNS cache on the client.
Rebooting is the easiest way to do this.

Procedures:
Step 1. Install the Bind package
● Log into PFSense and go to the SYSTEM tab. Under that tab you will select Packages.
● Click on the Available Packages Tab.
● You are looking for the bind package.
● Below is a screenshot of how it should look.
Step 2. Access Bind Config
● After install you can configure bind by going to Services → Bind Server
Step 3. Settings for Bind
Bind is a very powerful DNS server and capable of many things. As such, it has many many
configuration options that can be confusing. We will take things one tab at a time and I will
explain each relevant section and outline the settings needed and why they are needed.

3.1Settings Tab
Daemon Settings –
Enable Bind – Here you will check “enable bind” to enable the service.
Listen-on are the interfaces you want bind to listen on. Control+Click on any interfaces
you want bind to listen on. I do NOT recommend WAN!
Enable Notify – Unchecked, We don’t have any slave servers to worry about.
Hide Version – Unchecked, just an extra bit of security.
Limit Memory Use – The Default of 256mb is fine.
Logging –
Leave logging disabled for now, if you have issues I recommend it set to:
Loggin Severity set to “Error” and Loggin Options set to “Default”
Response Rate Limit
Leave Rate Limit disabled for now (if you serve alot of clients or want to protect against
DDOS attacks you can enable)
Forwarder Config
Check forwarder to enable – List your ISP DNS or Google (8.8.8.8) using a semicolon ( ;
) after each one. EVEN IF YOU ONLY HAVE 1 SERVER LISTED YOU MUST END IN
A SEMICOLON ( ; ). Failure to do so will cause the service not to start as the config is
not correct!
Here is a screenshot showing the config, note the trailing semicolon ( ; )

3.2 ACL Tab
Leave to default for all. You can if you wish setup other list to allow only certain IP’s.
Depending on your network config. If you don’t have a domain or active directory setup, you
most likely want the default ACL as all your clients on your network will all use PFSense as it’s
primary DNS server.
However, if you have active directory setup or another internal DNS server setup, you may want
to limit the DNS to only serve your servers behind PFSense.
Again, nothing wrong with leaving the default options set for now.

3.3 Views Tab
Views –
We are just going to setup one view. You could setup several types, but one will do for
us. We will call it “Everyones View” and set it to do Recursion, matching any clients (this
is the ACL we setup earlier) and allow-recursion to any.
In general, you are always going to use “everyones view” for your setup. Seeing how
only the LAN side of PFsense is really going to use the DNS server every client will need
the same settings.

3.4 Zones
Ahh zones, now we get to the complicated / fun blocking part. Since everything else is
configured we get to add zones our DNS server will control. These are the zones we want to
block. We will be using facebook.com for our examples. You can add as many zones(domains)
as you wish later such as Twitter, or Youtube.

Add a Zone
Click the plus button to start the add a zone wizard.
Domain Zone Configuration
Zone name – This is the domain you wish to block. So we enter facebook.com.
Description – This is not parsed so we can type anything here. we enter “blocking
facebook”
Zone type – Master (as we want to be the authority for this zone)
View – Here we select which view to use, we are going to use the “everyone view” we
setup earlier.
Reverse zone – Leave unchecked as this won’t deal with IP to domain DNS
No custom options are needed.

You can see a screenshot of our configuration on the next page.
DNSSEC
This is skipped along with Slave Zone (as this is a master). Forward Zone config is also
skipped as it’s not a forward zone. This is not the same as Forwarding DNS Servers. We
configured those back in on the first Settings Tab.

Master Zone Config –

TTL – we set to 128 (should be plenty for internal DNS).
Nameserver – this the name of your PFsense box as a FQDN. I’ll set mine to
pfsense.example
Base Domain IP – 127.0.0.1
Mail Admin Zone – hostmaster.example.com
Serial – any 32bit number, but typicall the format is YYYYMMDDXY (XY can be
anything, but we will use 01). This number doesn’t have to be accurate for this
configuration. but we will set it to 2013111201 for now (11/12/2013 date: 01 is my XY)
Refresh – 1d
Expire – 4w
Minimum – 1h
Allow-Update – UNMARKED we don’t want anyone but us updating this
Allow-Query – ANY we want everyone to be able to query this zone
Allow-Transfer – Unmarked – we don’t want this to propigate to anyone.

Zone Domain Records

Record = *
Type = A
Priority = Blank
Alias or IP = 127.0.0.1
We will add another for www just for good measure. Same settings, but the record will
be www. Now it should look like this:
Hit save and all should be well.

Step 4 Verify your settings

Hit the edit button next to our new zone and scroll to the bottom. We want to verify the settings
by comparing you’re resulting zone config file with our example:
You should see a screen like the screenshot on the next page:
Step 5. Add other zones you wish to block.
To add another zone to block we do the same steps outlined in Step 6. Just changing the
zone name to whatever domain you want. Twitter.com or Youtube.com are the most common
request.