To start with, I’ve never messed around much with the proxy server and URL Filter other than many years ago when transparent proxy used to work because much of the web wasn’t encrypted.
First things first: I’m not trying to do anything with the proxy set to transparent.
I have saved and restarted both proxy and URL Filter.
Nothing was showing in either the URL Filter Logs or the Proxy Logs. I thought the additional DHCP options would push out to my GREEN devices.
One thing I have NOT done yet is set any additional firewall rules to block non-proxy traffic. I was under the impression you do not have to do this for it to work; you only have to do this if you want to prevent circumvention. Is this incorrect?
So next, I went into my Windows PC and set the proxy there:
However, the URL Filter Logs are still empty. I can’t tell that Ads or DOH are being blocked. I even put yahoo.com in the URL Filter Blacklist section as a test. I can still access yahoo.com.
What am I doing wrong?
Here is what I am trying to accomplish:
-use the DBL rules in Intrusion Protection System to block Malware, Phishing and Porn. These are all low detection items so won’t flood the IPS logs.
-use the DBL rules in URL Filter to block ads and DOH since these generate tons of logs which I don’t want flooding my IPS logs.
URL-Filter does not log anything by default. On the page there are some checkboxes where you can enable logging.
The different categories however create different types of alarms. So if you have email alerting enabled for the IPS and only choose “High Severity”, you won’t see any alerts for Advertising, Pornography and some others. You will though see any alerts for Malware and Phishing.
This is because blocking some Advertising does not necessarily create some action for an admin, but detecting malware inside of your network does.
You will also see different colours for those alerts on the IPS PDF reports so that you can very quickly spot the important ones.
Thanks, I will verify I have logging enabled on the URL Filter page this evening.
Could you tell that I had misconfigured anything from my screenshots?
BTW, I’m not sure the Malware category is just blocking malware. I enabled the DBL Malware ruleset on a guest network at the office over the weekend. No one was in the office on Sunday, yet there were almost 5800 Malware hits. Most of these came from a customer functional testing system that logs and sends test results to them via JumpCloud. Here are a few example “hits”:
What even is malware when we are only looking at the domain name?
This won’t be 100% accurate ever, because there are so many reasons:
A legitimate website could have been hacked and used to spread malware, they will likely remain listed unless they report themselves to us for delisting
Some people consider “malwaretising” malware. It certainly is advertising, but should it go on both? That is hard to decide. We won’t always see all the evidence which is why there might be domains listed where other people might disagree with the categorisation.
Feel free to report JumpCloud. This seems to be a false-positive.
It looks like the reason for this domain showing up in the malware category is because Jumpcloud make some remote admin software which is why the specific upstream list named “mtxadmin - Malware Remote” has blocked it.
The domain would probably be in a malware category like “Trojan:Win32/RemoteAdmin” if it wasn’t a DNS lookup you were expecting on that part of the network.
In your situation perhaps it’s reasonable to allow your guest’s devices to connect to remote admin domains. Usually things like work laptops have this kind of software on.
A similar kind of thing will also occur in the DNS-over-HTTPS List where at first it will block all known DoH domains then you whitelist the domain you actually want to use.
I reported JumpCloud as a false positive. However, I got this reply:
Hello,
Thank you for taking the time to report jumpcloud[.]com to our IPFire DBL service.
We’ve reviewed your submission and are pleased to inform you that your report has been ACCEPTED. The domain has been added to our blocklist and will now be flagged by systems using our service.
Your contribution helps make the internet safer for everyone. We appreciate your vigilance in identifying and reporting problematic domains.
If you have any questions about this decision, please don’t hesitate to reach out.
Best regards,
-Stefan Schantl
As I submitted this, it should have been removed from the blocklist, not added.
Also, the last sentence about “don’t hesitate to reach out”…the email is sent from a noreply account. I would add a link or address for the reader to have a way to reach out.
