Slides for the January 2017 pfSense Hangout video

1. Squid, SquidGuard, and Lightsquid
On pfSense 2.3 & 2.4
January 2017 Hangout
Jim Pingle

2. About this Hangout
● Project News
● Squid, SquidGuard,
LightSquid Intro
● HTTPS Interception
Overview
● Installing the packages &
prep work
● Squid Configuration
● Transparent Proxy
● SSL/TLS Interception
configuration & Testing
● Anti-Virus in Squid
● SquidGuard
● Lightsquid
● Browser Testing hints
● Monitoring

3. Project News
● pfSense exceeded 500,000 active installs in December!
● pfSense Code Audit
– Audit was performed by an independent consulting firm, InfoSec Global
– Full results at
https://www.netgate.com/blog/netgate-taps-infosec-global-for-pfsense-code-revie
w.html
● Fortinet, Cisco, and pfSense are ranked as the leading firewalls of 2016
based on peer reviews
– http://www.prweb.com/releases/2017/01/prweb13984638.htm
● NET-SNMP package available for pfSense 2.4
– More secure, IPv6 support, SNMPv3, encrypted transport, user or TLS auth,
extendable with custom commands, better trap handling/generation
● Updated trademark policy: https://blog.pfsense.org/?p=2273
● 2.4 getting closer!

4. What are
Squid/SquidGuard/LightSquid?
● Squid is a caching proxy for HTTP and other protocols
– Can speed up access by locally caching commonly loaded sites/objects
– Can save bandwidth by reducing multiple duplicate downloads
– Allows further action on web traffic (access control, reporting)
● SquidGuard is used for access control based on the domain or URL
requested by a client
– Decisions can be made to allow or deny access based on client and/or
destination
– Blocked sites can be redirected to an error page in most cases
– Custom lists of sites or preset blacklists from other sources
● Lightsquid is used for reporting web access history
– Parses squid access log, notes who went where, how much bandwidth they used
– Has reports for daily use, monthly use, etc.

5. Will Squid Work for Me?
●
Without squid, the firewall cannot take an action based on the contents of HTTP/HTTPS packets
– In pf, all that may be seen is the destination IP address and port number, not hostname
– Hostnames can resolve to many IP addresses, or random sets, and cannot be effectively tracked with aliases
in many cases though pfBlocker can assist here with AS tracking in some cases.
– As a proxy, squid sees the whole HTTP transaction including the requested site name
●
Squid can easily transparently capture HTTP content, not HTTPS
– HTTPS can be handled in a few ways that we will cover
●
Squid is not easily compatible with Multi-WAN
– Default gateway switching gets failover, but Load Balancing is not possible/practical
●
SquidGuard tests based on client and destination URL, not page content
●
Squid can help by caching static content, but many pages are dynamic and may not cache well or
at all so the savings may not significant
– Caching dynamic content could also prevent a page from working properly
●
At this time, squid cannot transparently intercept IPv6 traffic on FreeBSD/pfSense, so IPv6 must
be disabled or it could be used to bypass the proxy
●
DNSBL from pfBlocker is a viable alternative to proxying in some cases

6. HTTPS Interception
● Squid can intercept HTTPS (SSL, TLS) in some cases to see all or part of the client communication
● Breaking the chain of trust by acting as a Man-in-the-Middle is a very bad idea
– It could be illegal, check local laws/regulations
– Unless users are notified, it is unethical
– Users will no longer see invalid certificate messages, squid must decide whether or not to trust servers
● Several modes with varying levels of intrusion
– Bump – Allows squid to be a MITM and present a fake certificate, handling separate TLS connections from client and to server
– Peek - Lets squid peek inside the SSL negotiation to see things like SNI, can't bump after but can splice
– Stare - Like peek, but can bump after and not splice
– Splice - become a TCP tunnel without decrypting traffic. Client and server exchange data as if there is no proxy
● Peek & Splice is a simple way to unobtrusively filter HTTPS at least by hostname without intruding on client
privacy
– It can only see the hostname but in the majority of cases that is enough to determine if a site should be blocked by squidGuard
● Bump requires installing a self-signed Certificate Authority onto all clients and client browsers so the clients will
trust fake certificates generated by squid
– NOT viable for public networks like a guest network, cafe, hotel, airport, etc!
– Generally only viable for small networks or networks under control of AD or similar with GPO

7. What can Squid See/Act on?
●
Full contents of HTTP are available in any mode
●
Direct means proxy settings in client OS/browser or WPAD type setup where the client knows
proxy & connects
●
Transparent means the client does not know a proxy is in place
● Peek & Splice checks SSL negotiation packets but does not interfere with end-to-end connection
security. It cannot redirect to an error page, only prevent the connection from completing
●
SSL MITM bump decrypts contents of connection, breaks chain of trust
●
Being able to see “Page Contents” means that scanning (e.g. ClamAV) and caching is possible
Squid Mode HTTPS
Destination
Host
HTTPS
Request
URL
HTTPS
Page
Contents
Self-Signed
CA on
Clients
Error
Page
Redirect
Direct ✓ HTTP Only
Transparent HTTP Only
D+Peek&Splice ✓ HTTP Only
T+Peek&Splice ✓ HTTP Only
D+MITM/Bump ✓ ✓ ✓ ✓ ✓
T+MITM/Bump ✓ ✓ ✓ ✓ ✓

8. Install Packages & Prep
●
Before anything can be done, the packages must be installed and
configured
●
System > Package Manager, Available Packages tab
●
Find/install Squid, SquidGuard, Lightsquid, whichever will be used
● Create a Self-Signed CA if using Peek & Splice or MITM
– System > Cert Manager, CAs tab
– Click Add, set Method to Create Internal
– Fill in the Name and other details with sensible values
– Click Save
●
If you will use SSL/TLS MITM, create a server certificate for the GUI
– It can be used for redirects from SquidGuard or AV and the clients will trust it
– Use hostname as CN, hostname as SAN, add IP addresses as SAN entries

9. Basic Squid Configuration
● First get a basic configuration going before attempting anything complicated
● Services > Squid Proxy Server
● Setup Local Cache tab first
– Defaults are fine for most
– Set Hard Disk Cache Size (in MB)
● Large cache eats more RAM! On 64-bit systems squid uses 14MBytes of RAM per 1GB of cache
– Hard Disk Cache System
● Set to “null” when using RAM disks or when only filtering with squidGuard, not caching
– Memory Cache Sizes
● Tune to system RAM
● Actual memory usage will be higher, this is only RAM cache size, not total RAM used by squid
– Object Sizes
● Minimum Object Size: Smaller than this not saved to disk
● Maximum Object Size: Larger than this not saved to disk. Speed = Low, Bandwidth saving = High
● Maximum Object Size in RAM: Smaller than this will be put in memory cache.

10. Basic Squid Configuration
● Squid General tab settings
– Check Enable Squid Proxy
– Check Keep Settings/Data
– Select Proxy Interfaces (e.g. LAN), always include Localhost
– Do not check Transparent HTTP Proxy yet, it could be disruptive – Get the basics
working first
– Do not check Enable SSL filtering yet, even if you want it – Get the basics
working first.
– Check Enable Access Logging, if you want to track where users are going
● Set rotate logs to 7
– Set the Visible Hostname and other related fields if you want them to appear in
the proxy headers
● If you want to hide the proxy, set X-Forwarded-For Header Mode to Delete, check Disable
VIA header, and check Suppress Squid Version
● Some places can still detect a proxy by testing request behavior

11. Basic Squid Configuration
●
ACLs tab
– Not normally necessary to touch, except perhaps to add more Allowed Subnets for
routed segments on internal interfaces
●
Traffic Mgmt tab
– Sizes are in Kilo*bytes*, not bits – Important to remember for the throttling settings.
Set to 0 to disable limits.
– Max down/up sizes – Careful, can break updates
– Throttling – Overall and per-host
– Throttle extensions
● Binary Files: bin, cab, sea, ar, arj, tar, tgz, gz, tbz, bz2, zip, 7z, exe, com
● CD images: iso, bin, mds, nrg, gho, bwt, b5t, pqi
● Multimedia: aif/aiff, asf, avi, divx, mov, mp3, mp4, wmv, mpg/mpeg, qt,ram/rm
● Other extensions
– Custom list, just put in the letters in the extension
– NO spaces between items!
– Example: vmx,vdi,ova

12. Basic Squid Configuration
●
Authentication
– Only viable with direct connections (user has proxy settings in OS/browser manually
or via GPO, WPAD)
– Local, RADIUS, LDAP
– No viable SSO option currently
– For Local, add users on Users tab
●
Testing initial setup
– Put proxy IP address & info into Firefox or a user's OS settings
– FF: Hamburger > Gear > Advanced > Network > Connection Settings, Manual,
enter firewall IP Address, Port
– Try some web requests, check access.log
– If access is not working, fix errors
– If access is working, move on to more advanced configuration
– Remove proxy info from browser if a transparent mode will be utilized

13. Squid – Transparent Proxy
● Now that the proxy is tested and working...
● Transparent proxy - Squid general tab, enable
– Choose the transparent proxy interfaces
– If you are connected to VPNs or other privately-numbered
networks, check Bypass Proxy for Private Address
Destination
– Fill in any other addresses to bypass for
source/destination, don't use website addresses here
● For hostnames, put them in an alias, use alias name here
● Can’t track large sites, but can track ones with simple, static
DNS results

14. Squid – SSL/TLS Peek & Splice
● SSL/TLS Peek & Splice
– Check Enable SSL Filtering
– SSL/MITM Mode
● Splice All: Will always splice every request
● Splice Whitelist, Bump Otherwise: Does what it says on the tin.
– When chosen, to splice all, Visit ACLs tab, enter .* in Whitelist or enter
specific sites to splice.
– Set SSL Intercept Interfaces
– Choose a self-signed CA
● Squid requires it to be set, but it isn’t used in this mode
– Select/enter nothing in the other fields of this section

15. Squid – SSL/TLS Interception
●
Setup SSL/TLS Man-in-the-Middle bump (interception)
– Squid General tab
– Check Enable SSL Filtering
– SSL/MITM Mode: Splice Whitelist, Bump Otherwise
– Set SSL Intercept Interfaces
– SSL Proxy Compatibility Mode:
●
Leave on modern unless users complain about security negotiation errors
– Choose a self-signed CA
– Daemon Children may need increased if the network is busy
– Set Remote Cert Checks and Certificate Adapt to taste, but both can be
left with nothing selected
– Visit ACLs tab after, make sure Whitelist is blank so everything will be
bumped

16. Squid – SSL/TLS Interception
● Install CA Certificate to clients
● Export CA Cerfificate only (not key): System > Cert Manager, CA tab
● Copy to client system(s), examples:
– Windows (IE, Chrome – NOT Edge!)
● Locate CA file on the client PC (e.g. MyCA.crt) & double click
● Click Install Certificate…, select Local Machine, Click Next
● Click Yes at the UAC prompt
● Select Place all Certificates in the following store
● Click Browse, then Trusted Root Certification Authorities
● Click Next, Finish, OK, OK
● May need a reboot
– OS X (Safari, Chrome)
● Double click CA File in Finder, enter login info & click Modify Keychain
● Locate the imported certificate under Login, All Items, drag the certificate onto System
● Click the Certificate, File > Get Info
● Expand Trust, Set When using this certificate to Always Trust
– Firefox (Any OS)
● Click Hamburger, Options, Advanced, Certificates Tab, View Certificates
● Click Import, Find & Pick the CA, Check all boxes
● Click OK, close and reopen Firefox

17. Squid – Testing SSL/TLS
Interception
● Open a browser and visit a secure site known to work before you started
● Peek & Splice
– Check the site cert, it should show the actual cert & trust info
– If a cert error is shown, check that SSL/MITM Mode is set to Splice All or that .* is
in Whitelist on ACLs tab
● Bump/MITM
– If a certificate error is shown, check the way the CA was imported, reboot/close &
reopen browser/etc
– If the request succeeded, check cert info, it should match your self-signed CA
– If it succeeded, no cert error, but shows original cert, then either the request did
not go through the proxy or squid is using peek & splice
● Check that SSL/MITM Mode is set to Splice Whitelist, Bump Otherwise
● Empty out Whitelist on ACLs tab

18. Squid – Anti-Virus (ClamAV)
● Downsides:
– Not all that effective overall, no gateway AV is
– Only viable for HTTP or SSL+MITM since it must inspect page contents
– Uses a LOT of RAM & CPU!
●
Won't run until AV DB is updated
● Services > Squid Proxy Server > Antivirus tab, Check Enable
●
Client forward: What info clamav will know about the client (Affects virus detected page)
● Enable Manual Config: Disabled – Do not use this unless you know clamav well!
●
Redirect URL: Leave blank to use the internal page
● Google Safe Browsing: Helpful, but consumes even more RAM
●
Exclude Audio/Video Streams: Check to reduce the burden on the scanner by not passing A/V traffic through
●
ClamAV DB Update: 6/24 hrs is probably OK for regular DB update. If using Google Safe Browsing, use 1 hr
●
Regional Mirror: Pick the one closest to this firewall
●
Advanced: Do not touch
● Click Save on AV tab & then Save again on General tab
●
Back to AV tab, Click Update AV – This will take a while to finish
● Add Squid AV Status widget to dashboard, wait for the "Last Update" to fill in
●
Test it out by trying to download EICAR file from client http://www.eicar.org/85-0-Download.html
● There are some additional custom databases that can improve detection, check forum

19. SquidGuard
● SquidGuard is used for allowing or denying based on the
URL requested by the client (e.g. domain name, part of
URL) and the client itself
● Does NOT filter based on text inside page
● Some parts of this package do not currently play well with
the Dark theme, so use Light theme
● SquidGuard Settings are at Services > SquidGuard
Proxy Filter
● After any change in squidGuard, return to this page and
click Apply

20. SquidGuard – General
● Check Enable to activate SquidGuard
● Logging options: Enable all, set rotation
● Clean Advertising: Looks for blacklists with _ads or _adv in name, URLs
in these lists get replaced with a blank image
● Blacklists:
– MESD – Free to use by all: http://squidguard.mesd.k12.or.us/
● Small lists, has some categories that are empty
– Shalla – Free for non-commercial use: http://www.shallalist.de/
● This does not seem to be maintained as actively as it was in the past
– Others: http://www.squidguard.org/blacklists.html
– Enable blacklists if you want, enter a URL to the .tgz to download
– Visit Blacklist tab after saving to download or update the list
– Even if you only intend to use blacklists, you must create at least one custom
Target Category!

21. SquidGuard – Target Categories
● Target Categories tab:
– Custom lists of sites to allow or deny, similar to blacklist categories
– Domain list can be entered, separated by spaces
● Blocks subdomains (e.g. facebook.com also blocks apps.facebook.com),
but does not block partial matches (e.g. notfacebook.com)
– URL list and Regex can also define patterns to match beyond the
domain name
● Remember: SSL Peek & Splice can only see domain name, not full URL!
– Redirect modes: Will cover shortly under ACLs
– If GUI is running HTTPS, redirected users will receive a cert error.
Recommend using an external redirect.
● If you are doing SSL MITM, create a WebGUI certificate signed by your
MITM CA so the users will already trust it!

22. SquidGuard – ACLs
● Common ACL - ACL for anyone not matched by a group ACL
● Target Rules List
– Choose access level for each category (custom or blacklist)
– Access types:
● “---” - No action taken for this later category
● allow – Allow if never blocked
– If the site is in a later category that is Denied, it will still be blocked!
● whitelist – Allow even if blocked
● deny – Do not allow access
● Default access
– Controls whether access to any site not in a blacklist is allowed or denied by default
– Default deny is more secure but much more of a headache to setup and maintain
● Do not allow IP Addresses in URL: Forces users to access sites by name rather
than IP address, which could bypass name-based checks
– This is known to break some services such as Netflix
● Proxy Denied Error: This text goes at the top of internal error pages

23. SquidGuard Configuration
● Redirect Mode
– Only valid for HTTP or HTTPS with SSL MITM, Peek & Splice will drop the connection harshly
– Select the type and enter a proper value in the box if needed.
– none - Deny content without displaying a formal error.
– Internal Error Page: Enter an error message in the box, displayed with other blocked page details
– Internal Blank Page: Returns an HTML page, but blank
– Internal Blank Image: Returns an image file, but blank (Useful for Ad blocking)
– External URL Error Page: Appears to the browser as the actual requested page
● Cannot include other files unless they are inline in the html (no external css, images, etc)
● Automatically has SquidGuard variables appended to pass the requested URL, client IP/name, group, target to the script
– External URL Redirect: Same as "External URL Error Page" except it does not append the request variables
– External URL Move: Redirects with 301
● Client browser is redirected to an external error page but in a way the client browser knows that it happens (301)
● 301 is a permanent redirect, and browsers will often cache it as such
● Since it is an external page, it can use any external resources you like
● Does not get the request variables appended, but you can add them yourself (?a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
● Because it is an external page in a separate request, your ACLs in squidGuard must allow access to the page if it is remote
– External URL Found: Redirects with 302
● Same as above but uses a 302 response
● 302 is temporary so the browser will keep trying the original URL for later requests
● Use SafeSearch engine
– For known search engines that support it, forces the use of the "safesearch" mechanism to prevent loading of adult
material

24. SquidGuard – Group ACLs
●
Similar to Common ACL but applies to only a specific set of users
●
Name – Custom name of the ACL (e.g. user's name, workgroup, set of users)
●
Order – Make sure to list more specific ACLs (e.g. 10.2.0.5) ahead of more general ones
(10.2.0.0/24) so that your desired actions will take place
●
Client (source): Determines what devices will match this ACL
– IP adresses, subnets, IP Ranges, hostnames, or usernames (if using user auth without transparent mode)
– Entries separated by space
●
Time – Schedule used for "off-time" decisions. Not covered in this presentation.
●
Target Rules
– Same mechanism as Common ACL
– Must specify an action for ALL categories for which an action should be taken
– Does NOT “fall through” to common ACL settings
– Left column is used with or without schedules
– If a time is chosen, left column is inside the time period, right column is outside
●
Other options are the same as Common ACL

25. LightSquid - Configuration
●
Requires logging from squid
●
Requires Proxy Interface in squid general settings to include Localhost
●
Runs using a separate web server process on the firewall, using a different port with its own
authentication
●
Lightsquid can be found in the GUI at Status > Squid Proxy Reports
●
Lightsquid Web Port, default is 7445 using SSL
●
Enter a custom user/pass to protect content
●
Report Template Settings
– Whatever you think looks best, such as English, NovoSea, Blue
●
IP Resolve Method
– DNS is the best choice for most, or IP address only
●
Skip URL(s) to leave out of stats (e.g. intranet pages that don't matter)
●
Refresh Scheduler
– 30-60m is probably fine, depending on hardware and server load
● Click Refresh Full before opening the first time or after changing report options
●
Click Refresh to trigger an interim update later

26. LightSquid - Reports
● Click Open Lightsquid to view report
– Access report by year, month, day
– Top sites list can be sorted by Bytes or Connections
– Totals shows all bandwidth used by a client over
time
– Day report shows users that accessed sites that day
● Click their IP address to see the sites they accessed
– “Big Files” shows if a user has downloaded files
larger than a couple MB and shows the full URL

27. Browser Tests
● Use Incognito Mode, Private Browsing Mode, etc. Avoid issues with cached redirects
● Load a proxy test page such as http://www.lagado.com/proxy-test
● Load a normal unblocked/whitelisted web page
● Load a blocked web page - internal error
● Load a blocked web page - external error
● Load HTTPS version of blocked page
● Configure browser for proxy (varies by OS/Browser) & Test again
– Set to use the IP address of the firewall on port 3128 as proxy for all
● Can block 443 on LAN rules if Peek & Splice is not sufficient
● Remember to import the CA Certificate into not just the OS but also browsers like
Firefox if they have a separate certificate store
● After loading some sites, manually refresh lightsquid and then load the report again to
see if reporting works

28. Monitoring
● Squid
– Real Time tab – AJAX page to watch squid logs in near-real-time
● Shows access log, cache log, squidguard blocked requests, AV results, and more
– Sqstat in lightsquid
● Click Open sqstat from Status > Squid Proxy Reports to view squid realtime stats (only
shows large ongoing downloads)
● SquidGuard – Log tab
– For viewing squidguard logs generated by the GUI and other actions
– Blocked: Blocked sites, if logged (also shown on squid Real Time tab)
– Filter GUI Log: Messages about the squidGuard GUI configuration
– Filter Log: SquidGuard process events
– Proxy Config: View of the squid configuration file
– Filter Config: View of the squidGuard configuration file

29. Conclusion
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc