URL Filter not filtering

Hi,
Core 153.
I have several firewalls out there and URL Filtering does not work on any of them. I have read through the few topics here that might have something to do with this but so far no joy.

I followed this:

Topic 1513 is real similar to my situation except I tried youtube.com

Non of the proxys are set to Transparent.

URL Filter Logs are empty.

These are all corporate networks so DNS/DHCP happen on Linux or Windows server.

I’m missing something.
Thanks

Welcome to the community!

Do the clients really communicate for web ( HTTP/HTTPS ) access with the proxy?
With non-transparent mode of Squid this is quite easy to bypass the proxy, if it isn’t blocked by firewall rules.

Happy to be here.
I’m the one trying to set this up and I’m not trying to bypass the proxy.
I added youtube in the Custom Blacklist as a test. I can still get there.
You mentioned firewall rules. The instructions didn’t say anything about that. What firewall rules are you talking about?
Thanks

To block web bypassing you can adapt the wiki article wiki.ipfire.org - Force clients to use IPFire's DNS proxy using the web ports 80(HTTP) and 443(HTTPS).

I will add, be very careful blocking 443. If you get things that refuse to use a proxy they get cut off. I initially blocked 443 trying to force through proxy but had mission critical things get blocked. Really I’m relying on WPAD and the fact that they need admin creds to modify proxy settings to kind of softly keep them on the proxy.

Of course malware or whatever can bypass proxy completely in this case, but I really can’t see a way to solve this.

Ok. Before we go any farther down this rabbit trail, my question isn’t about bypassing the URL filter it is the URL filter is not working and I need help fixing it. I have almost a dozen of these out there and as far as I can tell none of them work.
To set one up:
On the Web Proxy screen check Enable on Green. Do not check Transparent on Green.
On the URL Filter screen check the Block Categories ads: and adv: to block ads on any web page you browse.
Click Save and Restart.
Now when I go to eBay Adblock Plus still shows 8 blocked ads.
or:
Check Enable Custom Blacklist:
Add youtube.com to the blacklist.
You can still get there.
Because it works for others I am obviously doing something wrong.
Help.

Have you denied web access ( ports 80 and 443 ) in forwarding?
You can see whether the requests are handled by squid, if you turn logging on.

@bcrandell Have you set up the proxy settings in your clients? Have you setup WPAD on your DNS and DHCP to enable the clients to auto-configure the proxy settings? Have you ensured that the clients are configured to look for WPAD and auto-configure the proxy settings?

You can’t just enable it in IPFire and expect it to just work, you need to either manually enter the proxy settings on each device or setup proxy auto configuration.

1 Like

These are my settings and when “porn” is ticked in the URL filter, sites such as porn[.}xxx and bigdick[.]com are blocked but nothing shows in the URL log.

:rofl: :rofl: :rofl: :rofl:

Shows up in URL Filter log for me, do you see a difference if it is http or https?

Pays to scroll down to the bottom of the page and tick the “ënable log” box.

As for http: is blocked, but https: is not.

Sounds like the traffic is going through your transparent proxy in that case. Have you configured the proxy on the client devices to use the non-transparent proxy? It is a must do if you want to filter https

1 Like

I was under the impression from the directions:

and a few other places that if you enabled proxy on the firewall then it funneled all traffic through the proxy.
Not so.
I spent the weekend going over more instructions and several Youtube videos some of which mentioned configuring the workstation to use the proxy. Some didn’t.
Now I know that IPFire is configured correctly. And now that I have the workstations configured filtering is working.
If I could make a suggestion, the second line in the wiki should say something like, “You need to configure the workstation to take advantage of the proxy.”
Now if you will excuse me, my brain is full.
Thanks

Anyone can update the wiki so your suggestion can be made reality by you! :slight_smile:

But also really you should be configuring WPAD and just ensuring the workstation is set to auto-config the proxy, that is nicer.

Ok. That was painless.
I am configuring wpad. The Synology servers were the simplest. The Linux servers weren’t too bad. Windows is driving me nuts but I’m getting it.
Thanks

1 Like