0

In a corporate network without DHCP, the temporary solution to whitelist a couple of useful sites is to change the hosts file under Windows/System32/drivers/etc/ but since modern sites tend to change their IP very often and also taking into consideration that there are many client PCs, trying to keep hosts file updated is not the way to go.

So, we decided to place a pfSense firewall between the router and the rest of the network in order to create two whitelists, one for admins and one for clients, and then assign each whitelist to a group/range of IPs. For example the administrators whitelist to the range between 10.10.10.0 - 10.10.10.50 and the significant smaller whitelist of clients to the range of 10.10.10.51 - 10.10.10.255

In addition there is the need of load balancing, and in particular, of giving priority to the clients.

So, to narrow down the question a bit, i'd like to know

  1. Is pfSense the right tool for such a job? if not what is your suggestion?
  2. If yes, is pfSense able to accomplish that as is, or do i have to also install Squid?
  3. I can't find an obvious way to create whitelists and ip groups and relate those two, what is the right way to do it?
baddy
  • 13
  • 2
  • 1
    You should almost certainly be using an web proxy/filter to do http filtering. Trying to do http filtering at layer 3 just doesn't work. I believe pfsense will run squid/squidguard just fine, depending on your hardware. – Zoredache Dec 01 '14 at 22:16
  • How were you using the hosts file to create a whitelist? Usually, I see this method used to create a *blacklist*. Is your list one of hostnames or actual IP addresses? To create a block or allow list in pfsense, you'll need a list of IP addresses and not hostnames. In any case, you should be using proxy like squid for this. – Andrew Domaszek Dec 01 '14 at 22:17
  • @Zoredache the PC running pf has 512 ram and two 10/100 network cards one for lan and one for wan, however sometimes more than 10 clients will try to connect to remote desktops simultaneously, i guess this is going to be a hell of a traffic for the realtek cards. –  Dec 01 '14 at 22:32
  • @AndrewDomaszek well we keep the DNS in every client machine empty and we write to their hosts file the ip addresses of the necessary sites. –  Dec 01 '14 at 22:34
  • That is not security, even if you are blocking dns traffic, which I somehow doubt you are. Use squid. 512 MB of ram is more than enough for 100mbit worth of connections. If necessary (and it shouldn't be), you can offload the squid server onto another device and only allow HTTP access to leave the network from that server. – Andrew Domaszek Dec 01 '14 at 22:47

2 Answers2

1
  1. Yes pfsense is the perfect tool what you are trying to accomplish, and much more. 2 & 3. pfsense has certain packages that can help e.g. squid proxy and squid guard. A simple howto to install squid, squid guard, ACL and blacklisting.
Umair Naqvi
  • 29
  • 7
0

Definitely use Squid proxy. It understands URL's.
Most free firewalls just understand IP addresses and ports right now.

You can do simple IP based filters for source IP's (admins vs normal users)
You can do regex based destination url filters (for blacklist/whitelists)
You can do use authentication to do more sophisticated filtering

The squid docs can be tough going but check out https://workaround.org/squid-acls for a relatively easy intro.

Tricky
  • 376
  • 2
  • 5