URL Filtering - How to Configure SquidGuard in pfSense
URL filtering is a method of blocking access to certain websites based on the web address. There are several commercial products available for URL or content filtering but you can actually set up a very robust system on your own using SquidGuard and pfSense. SquidGuard is a very useful plugin for the popular Squid proxy server that can be used for blocking,or redirecting web requests on your network.
SquidGuard has a long list of features that can be customized to meet your needs. It is also extremely fast and won't slow down internet access for your users. If you need to block access to a list of undesirable websites or only allow access to certain sites then SquidGuard can assist you with this.
SquidGuard is very flexible making it easy to adapt to different applications. Whether you need to do basic URL filtering on your home network or you need to create complex rules for a large public network SquidGuard can do the job.
Before you can set up SquidGuard you will need a functioning pfSense proxy server. If you're new to pfSense I would recommend reading through the introduction to pfSense guide first.
SquidGuard can be installed using the pfSense package manager. To access the package manager click on packages in the system menu. Select the available packages tab and scroll down until you find SquidGuard, then click the plus symbol next to the description to begin the installation.
Once the installation is complete you will have a new menu item under services called proxy filter.
Enabling a Blacklist
To configure the blacklist feature open the general settings page (Services \ Proxy Filter). Click on the checkbox to enable the blacklist feature.
You can use one of your own blacklists or one of the publicly available lists on the web. You can find a list of several blacklists at http://www.squidguard.org/blacklists.html. Once you determine which blacklist you are going to use enter the URL of the blacklist into the blacklist URL box.
Click save, then click on the blacklist tab and click on download. It can take several minutes for the list to download and process. Once it is finished it will display "Blacklist update complete" in the status box below.
Access Control Lists
After uploading your blacklist you will need to configure which categories should be allowed, blocked, or white listed. The simplest method of configuration is to use the common ACL tab. The common access list settings will apply to all users of the proxy.
If you want to apply different rules to other source networks you should use the groups ACL tab. For example if you want to apply heavy filtering on a group of computers in a lab while granting unrestricted access to computers in another network you would use the group configuration.
In the drop down box next to each of the target rules you can select one of the following actions.
- Allow - Grant acces to the target category unless blocked by another rule or exception
- Deny - Block all access to sites in the target category
- Whitelist - Always allow access to the target category.
I would recommend enabling the setting to block IP addresses in the URL. This will prevent your users from bypassing the filter by simply using the IP of the web site instead of the URL.
By default when a user attempts to visit a blocked page they will see an internal error page indicating that the page was blocked and which target category it falls under. You can change the redirect page to be a blank page, or any other internal or external URL. For example you could redirect the users to google if you want to.
Whenever you modify a target rule you will need to click 'apply' on the general settings tab in order for the changes to take affect.
Excluding URLs from the Blacklist
There may be certain sites that you need to allow your users to access. To prevent these sites from being blocked you can create a new target category and add a list of domains or URLS that should not be blocked.
To do this click on the target categories tab then click the plus symbol to add a new category. You must assign a unique name to the new category, the name you choose cannot contain spaces.
The target category can filter by domain name, URL, or an expression. Listing a site by domain will grant access to the main site and all of its sub pages. Entering a URL will allow access only to that exact web page. Expressions allow you to grant access based on certain keywords.
When you are finished click on save, then go back to the common or group ACL tab (where ever you created your rule) and select and action of whitelist for your new category.
You can also use this same method to add additional sites to your blacklist.
Filtering by Expression
In additional to domain and URL filtering SquidGuard can create filters using regular expressions. These types of filters are great when you want to search for certain strings of text in a URL to make a filtering decision. If you are unfamiliar with regular expressions they can be somewhat confusing at first but there are many online resources on the subject so I won't go in to much detail about them in this article.
To create a filter that uses an expression click on the target categories tab and either create a new category or edit an existing one. Enter the expression you want to filter on in the expression box and then click save. Then go back to the common or group ACL tab and select the action (deny, allow, etc ) for your target category.
Below are a few examples of filtering expressions. These could be edited depending on what you intend to filter out. For more useful information about filtering on regular expressions check out http://www.squidguard.org/Doc/Examples.
Block downloads based on file extension
Block certain top level domains
Block searches for "proxy bypass" on Google and Yahoo
Time Based Rules
SquidGuard also allows you to apply URL filtering based on schedules. Schedules are useful for applying rules at different times during the day, or only on certain days of the week.
For example you could apply strict URL filtering rules during business hours and automatically disable the rules after 5PM. If you are filtering your home network you may not want the kids visiting certain sites during the school week, this is another example where you would use a time based rule.
To create a time based rule click on the times tab and then click the plus sign to create a new schedule. You can create as many different schedules as you need.
Schedules can be applied using the groups ACL tab. Create a new group ACL or edit an existing one, then in the 'time' drop down box select the schedule you created.
Don't forget to click apply on the general tab for the settings to take affect.
Commercial web filtering appliances can be very expensive and difficult to manage. SquidGuard and pfSense are completely free and very powerful. SquidGuard offers many other features not covered in this article. For more in-depth information visit SquidGuard.org and check out the documentation section. Also be sure to check out some of my other articles to learn about more ways to use pfSense on your network.