URL filter issue

Hello. On URL filter page checked (for example: porn). When user goes directly to porn web site on web browser by typing websitename.com server blocks it but when user searched on web browser (for sample: porn site ) and clicks to any result links web site is opens. How can we block content permanently?

Maybe the search delivers the https URL. This can be blocked by non-transparent proxy only.

1 Like

For clarificaton: The transparent / non-transparent setting has no influence of https connections.
For https filtering with the proxy the browser need to be configured to use the proxy. To force the user to do this you should block the direct way.

1 Like

Arne, you described it very exactly. But forcing clients to use the proxy is equivalent to non-transparent mode, IMHO.

1 Like

Arne is right - you don’t need to - but it’s as you’ve said equivalent to non-transparent operation so there is no need to run transparent anymore.

Thank you very much for hint. I checked this. Search delivers the https URL that’s why web site opens.

Do I have to reconfigure every computer for blocking? There is no other option for blocking from server?

Yes because you have to make sure that all clients use the proxy server. That’s why you need firewall rules that block http + https, too. If you don’t configure the clients to use the proxy and don’t have that firewall rules the clients may resolve the server IP somehow else while you don’t have a clue of it at all.

1 Like

Let me get this right, I block HTTP and HTTPS from green everywhere and only allow the port for the proxy to force users to use the proxy, is that understood correctly by me?

1 Like

Yes!
URLFilter is a proxy ‘addon’. To work effectively, all web traffic must go through the proxy.
For HTTPS URL filtering works on basis of the unresolved URL. Did not look into the lists, whether also IPs of sites to block are contained.

EDIT: just made a little test. /var/ipfire/urlfilter/blacklists/tracker/domains contains IPs. Thus I suspect, this is true for the other lists also.

I found a better way.
Are use a script to integrate in unbound directly Filter list for different categories.
And I foresee clients to use my DNS so ever seen works perfectly now and I don’t use a proxy any more

1 Like

That’s another approach.
But you also have to force your clients to use IPFire.
Integration into the DNS server however doesn’t catch all accesses by IP, which should be blocked.

That’s true but The ipfire the only way to the Internet. I disallow to change the DNS With GPO’s so they have no other choice

1 Like

Hi,

Are use a script to integrate in unbound directly Filter list for different categories.

with regards to DNSSEC, you want to avoid this since there is no way of telling (from
the clitent’s perspective) whether the DNS resolver tampers with certain queries or an
attacker is modifying them.

DNS-based filtering is what PiHole does - it works, it sells (unfortunately), but it really is not sexy.

Forcing clients to use IPFire’s proxy works - I run several IPFire machines for several
years using this setup -, except for (mobile or proprietary) applications which are not
capable of using HTTP proxies.

Thanks, and best regards,
Peter Müller

I know it’s not a clean solution.
But I need for the office network it easy and clean way to Block IPs and domains
A lot of people visiting some bad sites like porn and we have a lot of malware the network
I should only block the sites not more

Hi,

But I need for the office network it easy and clean way to Block IPs and domains

I see. To my knowledge, SquidGuard is missing capabilities to query resolved IP
addresses against IP-based blacklists.

When it comes to DNSBLs, there are some Squid helper scripts available which fix
this. There is a ticket for this, but I did not had time to work on it, yet.
However, this has some disadvantages if you do not run your own DNSBL server, as you
are effectively exposing your user’s browser history to the DNSBL company, your resolver,
and anyone in between.

Since those DNSBL tend to be more complete and accurate than Shalla, for example,
I guess it is still better than nothing.

Thanks, and best regards,
Peter Müller

Sorry but I am still confused over the settings for https sites. Although the contents of data to/from these sites is encrypted, the address is not, so why is this a problem as suggested above?

For example, in my case, I have no proxy on my local PC and I have no firewall rule blocking https - but if I go to hsbc.com (which is a https site), I can only access the site if I have unchecked the finance/banking box in the URL filter page.