HowTo: Using Domain Blacklists with PfSense & Squid Proxy for easy Content Filtering.
In the following blog entry we will be describing how to use Squid proxy Native ACL Blacklists from Squidblacklist.org in combination with Squid3x and PFsense Release 2.2.2.
Install Requisite Packages into Pfsense.
1. Install Squid3
2 Install Cron – We will be using this to automate update downloads for the blacklists using cron and fetch.
Next we will open a terminal and manually download a blacklist from Squidblacklist.org using fetch, we will download this file directly into the working directory for the Squid3 proxy installation using fetch. We are doing this to help you become more familiar with what is going on here.
Open a terminal on the pfsense box and navigate to the directory, which will be similar to the following location.
[2.2.2-RELEASE][admin@pfSense.local] cd /usr/pbi/squid-amd64/etc/squid
Now we will fetch the blacklist. ( you must have a valid Squidblacklist.org user account to download )
[2.2.2-RELEASE][admin@pfSense.local] fetch http://username:firstname.lastname@example.org/downloads/squidblacklists/squid-porn.tar.gz
Now we will decompress the blacklist file with the following command string.
[2.2.2-RELEASE][admin@pfSense.local] tar -xvf squid-porn.tar.gz
Now that we have downloaded, and decompressed the blacklist file, squid-porn.acl, it is time to log into the pfSense administration panel and configure squid proxy to use the acl we just downloaded, and complete the process.
First, do not forget to allow access to the proxy for all subnets you intend to allow to have access. In the squid proxy configuration, navigate to the section titled acls and add the subnets you wish to allow access, and click apply, you will be required to manually restart the squid proxy for the changes to take effect using the buttons on the top right of this image in the administration panel.
Next . and final step is to add the ACL rules to the admin panel for Squid proxy.
# acl porn dstdomain “/usr/pbi/squid-amd64/etc/squid/squid-porn.acl”
# http_access deny porn
Now, squid proxy will automatically begin to load the ACL blacklist, which is quite large, and may consume a considerable amount of cpu while the reload process is taking place, I recommend monitoring the cpu load on your pfSense router during this process so that you know when it is completed. Dependong on how powerful your cpu is, it may take several minutes to load.
It is important to note that browsing through the proxy may be interrupted and temporarily unavailable during this loading process. This can be avoided by using a parent proxy to bypass the local when it becomes unavailable or unresponsive. Other work arounds exist, such as updating during late night hours using a cron job similar to the next step we are about to describe.
To eliminate downtime, there are also many plugins available for Squid proxy such as DansGuardian which also can be leveraged to elminate this problem, as Dansguardian is still available during reloading of blacklist acl files. However, this howto is focused on Squid proxy Native ACL use with pfSense and Squid proxy, so we will save those options for another howto.
Final Step. – Automated Blacklist Updates for pfSense and Squid proxy using Cron and Fetch.
Assuming you have already installed cron via the pfSense package manager, you can now open the administration panel for cron in the pfsense web administration panel.
Enter the following scheduled task.
cd /usr/pbi/squid-amd64/etc/squid/ ; fetch http://username:email@example.com/downloads/squidblacklists/squid-porn.tar.gz ; tar -xvf /usr/pbi/squid-amd64/etc/squid/squid-porn.tar.gz
Hit save and voila, updates scheduled for download every 30 minutes, which is a bit absurd, you should schedule these updates once per day, preferably after midnight.
You are now filtering content with pfsense and squid proxy using the worlds largest adult domain blacklist, squid-porn.acl from Squidblacklist.org
NOTES AND ADVISORY:
Depending on your system resources, in particular , Processing power, this may add considerable time to rebooting/start ups because Squid will have to reload the blacklist every time you restart your pfSense box. Something you should be aware of when using Squid Native ACL blacklists, it is dirty, but it does work. Using our lists with third party plugins under pfSense, such as Dansguardian or SquidGuard can easily be done with the same cron + fetch method, however, for other alternative methods, please see the following relevant links and material.
Update script that is mentioned in the legoclan howto can be downloaded at the link below.
Subscribe Today – Paypal or Credit Card Accepted.
Flat rate subscription. Select a membership option & subscribe.