One of the easier ways to do URL filtering via HTTPS, if you don’t like taking the proxy off transparency is to block the resolve.
You would do this by forcing all DNS traffic from the LAN to the firewall.
For example:
Edit the firewall.local and add the required entries below the line that reads ## add your ‘start’ rules here
vi /etc/sysconfig/firewall.local
# Force DNS for green to query the firewall, and not an outside DNS server
iptables -t nat -A CUSTOMPREROUTING ! -o green0 -p udp --destination-port 53 -j REDIRECT --to-ports 53
iptables -t nat -A CUSTOMPREROUTING ! -o green0 -p tcp --destination-port 53 -j REDIRECT --to-ports 53
That ^ is my preferred option. It works, and that’s what counts for me.
Alternatively you can try and figure out how to do it in the Firewall GUI, but there you would be on your own….
I guess it could look something like this
Source = Firewall : GREEN
NAT = n/a
Destination = Standard networks: ANY
Protocol = TCP/53 & UDP/53
Accept/Drop/Reject = REJECT
Additional Setting = Remark: DNS BLOCK
Source = Standard networks : GREEN
NAT = n/a
Destination = Standard networks: RED
Protocol = TCP/53 & UDP/53
Accept/Drop/Reject = ACCEPT
Additional Setting = Remark: DNS
Source = Firewall : RED
NAT = n/a
Destination = Standard networks: ANY
Protocol = TCP/53 & UDP/53
Accept/Drop/Reject = ACCEPT
Additional Setting = Remark: DNS
… but as said, no clue on that.
I suppose the iptable entries would end up look something like
# Maybe checkup, I might not be right :)
iptables -I INPUT 1 -s <insert your LAN IP range> -d ANY -p udp --dport 53 -j REJECT
iptables -I INPUT 1 -s <insert your LAN IP range> -d ANY -p tcp --dport 53 -j REJECT
iptables -I INPUT 1 -i green0 -d red0 -p udp --dport 53 -j ACCEPT
iptables -I INPUT 1 -i green0 -d red0 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 1 -i red0 -d ANY -p udp --dport 53 -j ACCEPT
iptables -I INPUT 1 -i red0 -d ANY -p tcp --dport 53 -j ACCEPT
And I guess you could even add that to /etc/sysconfig/rc.local …many roads lead to hours of frustration or how the saying goes.
I prefer the redirect option instead.
Any how… Once you now have forced all DNS queries via the firewall, irrespective of what DNS servers the LAN user wants to use, the firewall redirects that query to itself and responds.
Now you could add in either a DNS service that does the filtering for you, i.e. 185.228.168.168 for family friendly, or 185.228.168.10 for adult filter, as an example, I’m sure there are more.
Or alternatively you could go nuts like me and create a script (no longer works under core 142 correctly) that generates a blacklist for the unbound DNS from a source like http://dsi.ut-capitole.fr/blacklists/download/porn.tar.gz or if you already have the URL filter enabled you could just use the source /var/ipfire/urlfilter/blacklists/porn/domains instead. No point in downloading anything if you already have it available for abuse.
As said the script I created seems to break unbound.conf and until I have figured out which part of it is to blame, I cannot provide it.
The nice part about this approach, elegance aside and can be debated, is that you can add additional filtering as needed and unless the user goes nuts with vpn etc. there is no way around it. Unlike the url filter, this method prevents the resolve, no IP, no connection, problem solved.
I hope this helps you.
cheers