Hi,
Firstly, make sure that your browsers are configured with the Proxy/Filter (your firewall IP:8080 for all protocols). This is a must. You can hard code these or use WPAD, policies or similar to get the info out. If you are dealing with just a few home PCs then just manually set them but if you have an Enterprise that is probably the hardest part to achieve.
Once the above is set, drop to the Firewall CLI (as root) and enter this based upon which version of ClearOS you are using:
V5:
nano /etc/rc.d/rc.firewall.local
V6:
nano /etc/clearos/firewall.d/local
| Code: |
# Drop all HTTPS traffic from passing through NAT global internal
iptables -I FORWARD -p tcp -s 10.0.0.0/8 --dport 443 -j DROP
# Allow specific subnets to pass
iptables -I FORWARD -p tcp -s 10.1.1.0/24 --dport 443 -j ACCEPT
iptables -I FORWARD -p tcp -s 10.1.10.0/24 --dport 443 -j ACCEPT
# Administration Static IPs allow unconfigured browser access
iptables -I FORWARD -p tcp -s 10.2.1.16 --dport 443 -j ACCEPT
iptables -I FORWARD -p tcp -s 10.2.1.5 --dport 443 -j ACCEPT
|
Now restart the firewall service:
| Code: |
service firewall restart
|
The above will drop all HTTPS/443 from passing through NAT but allow the Firewall itself to connect. This causes anyone not configured to use the Proxy(Firewall) to be blocked. As there is *always* that special user or group of users - I put you a couple of examples of how to allow specific subnets & IPs to pass whilst denying the rest.
Once all your browsers *have* to use the proxy for access, URL Filtering at least (not word analysis) will take place on HTTPS. It is transparent that is currently unable, by design, to filter HTTPS streams. Then make sure facebook.com is in your list of bad sites and you should be in business.
Note that you can reverse the iptables rules to allow access to a set of HTTPS sites like local banks and other frequently used HTTPS sites with a rule like this in the above file:
| Code: |
iptables -I FORWARD -p tcp -d 167.192.222.0/24 --dport 443 -j ACCEPT
|
Hope that helps.
Jim
