Netgate SG-1000 microFirewall

Author Topic: Splice and Bump based on source IPs and destination domains  (Read 307 times)

0 Members and 1 Guest are viewing this topic.

Offline BluBoy

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Splice and Bump based on source IPs and destination domains
« on: November 14, 2017, 03:41:55 am »
First and foremost, I have setup squid with HTTPS splice-all on pfSense at home and it is working better than I ever thought possible.
Being able to see basic HTTPS usage data and logs is great!

Now I want to bump a few hosts at home (Mostly because I have NFI how to install certs on devices at home (Chromecasts, Roku, Kindles, etc)
Can I have a whitelist for internal IP addresses (my laptop and mobile) that will be bumped (for Blacklist/AV inspection), while all others continue to be spliced (so I can see a summary of who is accessing certain domains).

In addition to this, I'd also like to exclude certain domains from being bumped (such as when I browse my banking site). Can I also whitelist destination domains

Finally, I'm not reading many good things about squidguard or [dans/e2]guardian.
Has anyone used https://www.diladele.com/licensing.html before as the web filter and http://www.squidblacklist.org/ for the blacklist?

Thanks

Offline sichent

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +9/-0
    • View Profile
Re: Splice and Bump based on source IPs and destination domains
« Reply #1 on: November 14, 2017, 06:48:22 am »
Hello BluBoy, if you have questions about web safety ask me.

Offline Bismarck

  • Full Member
  • ***
  • Posts: 128
  • Karma: +23/-1
    • View Profile
Re: Splice and Bump based on source IPs and destination domains
« Reply #2 on: November 14, 2017, 07:50:09 am »
This is my running "SSL/MITM Mode: Custom" config:

Code: [Select]
# some banking sites that should not be MITM-ed
acl no_ssl_bump ssl::server_name .mybank.com
acl no_ssl_bump ssl::server_name .whatsapp.com
acl no_ssl_bump ssl::server_name .whatsapp.net
# some source IPs that should not be MITM-ed
acl splice_only src 10.0.1.7
acl splice_only src 10.0.1.8
acl splice_only src 10.0.1.19
# get SNI obtained by parsing TLS Client Hello during step2
# (which is instructed by ssl_bump peek step1)
acl step1 at_step SslBump1
# no_ssl_bump and splice_only
ssl_bump peek step1
ssl_bump splice no_ssl_bump
ssl_bump splice splice_only
# bump the rest
ssl_bump bump all

Offline BluBoy

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: Splice and Bump based on source IPs and destination domains
« Reply #3 on: November 15, 2017, 03:02:57 am »
Hello BluBoy, if you have questions about web safety ask me.

You may have already had an email from me.
The personal usage limit of 7 devices is insanely low. Most households have multiple people, each with multiple devices which would exceed this quite easily.
I've been very eager to try it, but that limit has prevented me for so long (your support was great, responding extremely quickly with a possible solution. But how many people would go to the effort of querying your license restriction over email?)


This is my running "SSL/MITM Mode: Custom" config:

Code: [Select]
# some banking sites that should not be MITM-ed
acl no_ssl_bump ssl::server_name .mybank.com
acl no_ssl_bump ssl::server_name .whatsapp.com
acl no_ssl_bump ssl::server_name .whatsapp.net
# some source IPs that should not be MITM-ed
acl splice_only src 10.0.1.7
acl splice_only src 10.0.1.8
acl splice_only src 10.0.1.19
# get SNI obtained by parsing TLS Client Hello during step2
# (which is instructed by ssl_bump peek step1)
acl step1 at_step SslBump1
# no_ssl_bump and splice_only
ssl_bump peek step1
ssl_bump splice no_ssl_bump
ssl_bump splice splice_only
# bump the rest
ssl_bump bump all

This looks like it is exactly what I am after.
Rather than using URLs, I take it I can feed it a list instead?

Also, what settings have you used on the configuration page?
If you are able to, would you mind sharing a screenshot please?

Thanks!

Offline Bismarck

  • Full Member
  • ***
  • Posts: 128
  • Karma: +23/-1
    • View Profile
Re: Splice and Bump based on source IPs and destination domains
« Reply #4 on: November 15, 2017, 04:45:05 am »

Also, what settings have you used on the configuration page?
If you are able to, would you mind sharing a screenshot please?

Thanks!

Nothing special, just the default settings, screenshot attached. And yes you can extend that list of domains and IPs as you like.

Maybe good to know:

https://wiki.squid-cache.org/SquidFaq/WindowsUpdate#Squid_with_SSL-Bump_and_Windows_Updates

https://docs.diladele.com/faq/squid/index.html

If you do AV scanning, feed clamav with extra signatures:

Info: http://sanesecurity.com/usage/signatures/

Script: https://github.com/extremeshok/clamav-unofficial-sigs

Cheers!


Offline slim2016

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +1/-0
    • View Profile
Re: Splice and Bump based on source IPs and destination domains
« Reply #5 on: February 08, 2018, 06:27:36 am »
Thanks, this is worked fine for me

This is my running "SSL/MITM Mode: Custom" config:

Code: [Select]
# some banking sites that should not be MITM-ed
acl no_ssl_bump ssl::server_name .mybank.com
acl no_ssl_bump ssl::server_name .whatsapp.com
acl no_ssl_bump ssl::server_name .whatsapp.net
# some source IPs that should not be MITM-ed
acl splice_only src 10.0.1.7
acl splice_only src 10.0.1.8
acl splice_only src 10.0.1.19
# get SNI obtained by parsing TLS Client Hello during step2
# (which is instructed by ssl_bump peek step1)
acl step1 at_step SslBump1
# no_ssl_bump and splice_only
ssl_bump peek step1
ssl_bump splice no_ssl_bump
ssl_bump splice splice_only
# bump the rest
ssl_bump bump all