Question about site-blocking and PfSense

Quick hypothectical: I want to deploy a PfSense firewall in a school environment. School policies require both the administrator/staff network and the student network have their OWN set of blocking policies. Is it possible to accomplish per VLAN site-blocking on PfSense? I have looked into Pfblocker-ng, but that seems to only support one dns server for all vlans, and therfore one set of policies for all vlans. I have seen guides on how to do this with proxies, but Tom seems to not like proxies. Any input is much appreciated.

e2guardian which is a bit of a process to get going on pfsense, or you could install it on a linux machine and force all traffic through that machine as a proxy. Either way is kind of involved. HTTPS is becoming an issue, so not sure how much longer this is going to be a viable solution.

Yes it does…caveats

  1. Enable squid and squid guard
  2. In SquidGuard use the UT1 blacklists.
  3. Use SquidGuard ACLs to apply per network filtering

This all assumes you a)like UT1 and b) want to enable a proxy which I highly suggest you don’t use at least the pfsense built in one. Better off going commercial for this granularity

Web filtering in pfsense is more trouble than it’s worth. When people require filtering via the firewall we use Untangle.

1 Like

Untangle is INCREDIBLY powerful, you can apply different policies to different groups of computers and/or users, and/or networks. A strict policy for students, a more lax policy for staff, a different policy for guests, etc. Great edge device to help a school check more green boxes towards CIPA compliance.

1 Like

pfSense is really bad. It offers next to zero protection in today’s threat landscape. And as you’ve already found out, it has really bad filtering options.

I know we have a lot of Untangle fans here, I would still make the case that this is just as bad. There is no commercial security intelligence baked in, which leaves you open to attacks.

Either shell out some money and get a commercial firewall like a Fortinet box, which comes with URL filtering (based on users, so you can apply very granular filters matching users or user groups) and has a massive security research operation tied in.

If buying such a box is not an option, I would go with the free tier of Cloudflare Teams. The included Cloudflare Gateway product is a full-fledged layer 7 firewall and secure web gateway with granular filtering (URL, DNS) and malware scanning.

When it comes to security, stay clear of open source (even if these open source projects offer paid services).

I will say that I would rather be working with Untangle for the stuff I need to do, and eventually I may have to force a subscription as I am running out of ability with pfsense and e2guardian. There seem to be some issues with the number of things you can allow in a white list before other things start to fail. I may need to do some tuning too and just haven’t had the time. That said, I’m still getting what I need for filtering and getting the security that I think is doing a decent job with Suricata and a few rule sets (and tuning).

That is not true, Untangle buys security feeds and integrates them into the product.

Sure. But then you pay 540$ a year according to their homepage, and the feeds are coming from white-label companies that have no real reputation in the industry (Zvelo and Commtouch/Cyren).

I agree this is much better than pfSense, but I wouldn’t make any compromises in security. I wouldn’t rely on OEM providers such as Zvelo and Cyren, who sell their service for cheap.

Either way, if it has to be Untangle, at least buy their security subscription.

Unclear where you are getting your information from. If Palo Alto’s were free than everyone would have them. No security gateway is perfect and yes pfsense would not fit the need of a F500 looking to do advanced filtering and threat prevention (whatever you think that is) but the real world reality is L4 firewalls fit the bill for lots of consumers. Untangle uses bright cloud I believe so……what’s the issue there? You really haven’t specifically identified where the issues are in open source firewalls. Please elaborate specifically which areas commercial firewalls excel where open source fails.

Hey @michmoor - sorry, I should have been more elaborate. Let me try and explain what I mean:

L4 firewalls are no longer good enough because the vast majority of attacks in today’s threat landscape are not network based attacks. Today, attacks happen on the application layer. Meaning, for example, phishing attacks (the predominant attack vector today). Users click on links in phishing mails that downloads malicious payload to the user’s device. Your L4 firewall won’t protect you from that because it doesn’t inspect the data, only ports and IP addresses. Since your L4 firewall typically allows users to connect to the internet on ports 80 and 443, an L4 firewall will allow malicious payloads to pass through.

When that malicious payload explodes on the user’s device, it will also connect to the internet, for example, to command and control servers or reverse shells. Your L4 firewall, again, will let this traffic pass. Because it has no idea the traffic contains malicious payload. It can’t know because it is incapable of inspecting layer 7.

L4 firewalls are good for access control (what/who gets to connect to what). And that’s it. Once an L4 firewall has decided, based solely on IP address and port, that your connection is allowed, all traffic is allowed to pass (on those ports). Including malicious traffic.

Why is this important even for small companies and not just F500s?

Because a huge portion of all attacks (40-50%) target small businesses. According to Verizon’s 2021 Data Breach Report - which is the most comprehensive report of its kind. IBM’s research confirms this. The trend is growing rapidly and dedicated security vendors speak of even higher numbers.

So, from where I stand, even small businesses require “advanced filtering”, as you call it. SSL Decryption is a must, not an option. URL filtering (considering the entire URL, not just the FQDN), malware scanning, as well as proper email security.

Why is "open source advanced filtering a bad idea?

Because open source communities just don’t have the massive security research apparatus that is required to assess the threat landscape and find new zero-day attacks in a timely fashion. Compare this to commercial offerings like Cisco’s Talos, Palo Alto, Cloudflare and all the other major players. Especially someone like Cloudflare and Cisco, who have visibility into large portions of the internet traffic, globally, who can detect attack patterns and waves and react to them by updating their “filters” (simplified wording).

By the time open source, crowdsourced filter databases know about the newest attacks, it’s already too late.

Now, I can’t really speak about Untangle specifically. All I’ve seen is their list of technology partners, and that does not include BrightCloud, nor its parent company WebRoot. And even if they had BrightCloud, BrightCloud only delivers intelligence on malicious URLs, but not on actual malicious payload.

This is an extremely complex topic and one forum post can’t explain all of it. But let me conclude by saying that there are a lot of MSPs out there these days that think they are good at security because they can install pfSense. That’s dangerous, because it gives their customers a false illusion of being protected. Security is nothing that can be solved by installing some cheap or free open source firewalls.

1 Like

You are conflating a lot of claims that just don’t hold up to scrutiny. Claiming these commercial offerings are so far ahead of pfsense are speculative at best. You had earlier mentioned Fortitnet which has long history of poor coding practices such CVE-2018-13382 or as it was called “The magic backdoor” they put into their VPN.

If there is something that is giving a false sense of security in the industry it’s the “Enterprise Firewalls” that claim far greater protection than they can offer. Even LAPSUS$ was poking fun at the SOC not even noticing things that are happening, here is the tweet from my friend and security researcher John Hammond:

Security is not just one thing, it’s a series of things. I see security as starting at the endpoint because that is almost always where the bad things start, once you have the end point covered then move on to adding layers, but with so much of the connections being encrypted the firewalls are less effective at analyzing the traffic that passes through them unless you have the certificates installed on all the endpoints of which you still have to do many bypasses for as some systems use certificate pinning.

1 Like

Just because even the big guys have problems doesn’t mean they aren’t better than open source offerings. I wasn’t really talking about how good or bad these offerings coded, but rather, about security intelligence.

e.g. the knowledge about the threat landscape at any given day, which exploits are currently (this minute) actively exploited, which new malware sample is currently (this minute) being activated at scale, etc.

I agree that from a technical perspective, an L4 firewall from security vendor XYZ probably does a similar good or bad job as pfSense. But that’s not the point. The point is which protection methods you deploy to protect yourself, and no, plain L4 firewalls that can’t consume up to date security intelligence and that only control access based on IPs/ports are not going to cut it anymore.

I also agree that security needs a holistic approach with multiple point solutions (endpoint protection, secure web gateways, secure email gateways, firewalls) instead of just putting a firewall on your network perimeter.

That is actually exactly what I was pointing to. See above.

And in that context, pfSense will not help you for anything but control access. It won’t protect you from real threats. Replace pfSense with any other L4 firewall and my statement still holds true.

Why did I mention Fortinet? I could as well have mentioned Checkpoint or Palo Alto, but Fortinet is one of the cheapest options. All of them, including Fortinet, have long given up on plain L4 stateful firewalling. All these firewalls today are L7 firewalls that transparently proxy a lot of the traffic to be able to decrypt and inspect layer 7.

Will they catch everything? No. Are they 100%? No. Nothing is 100%. Will they catch more than pfSense? Absolutely. Do you still require other layers of security? Absolutely.

1 Like

The information you are presenting here is both A) nonsencial and B) seems parraoted.
These are the points that rubbed me the wrong way so I will address them.

  1. That OSS doesn’t have the massive security research apparatus. Yes the model open source uses is largely based on people freely giving their time to projects to develop tools that are accessible to anyone including the security firms and companies you used in your examples (Cisco, cloudflsare). The irony of your statement being that those big brand name vendors use OSS all the time and integrate them into their products.
    I think you are also conflating having a lot of money (or resources) to being secure and that’s just demonstrably not true. Every single networking vendor on this planet has been hit with a security bug of many variety. A simple thought exercise for you should be " If the Ciscos and Foritnets have so much money why do their products have any insecurity?"

  2. Now, I can’t really speak about Untangle specifically.

  • Your statement should’ve ended there because your paragraph goes into nonsense.
  1. SSL Decryption is a must, not an option. URL filtering (considering the entire URL, not just the FQDN), malware scanning, as well as proper email security.
  • I literally work with 2x F500 partners that absolutely do not do SSL decryption due to both legal and technological challenges that come with this. Ive sat on those Infosec meetings and this is largely a gray area. These are Fintech companies mind you. There are Palos everywhere. Its not about the vendor but about the requirements when it comes to designing a security infrastructure. Honestly, I’m very confused as to where you are getting any of your datapoints from.
  1. But let me conclude by saying that there are a lot of MSPs out there these days that think they are good at security because they can install pfSense.
  • Ok…Not going to speak for all MSPs. Wont even speak to Lawrences company. I don’t know what MSPs are doing or what they are deploying and neither do you because every customer has requirements and a budget that dictates the hardware and software that will be deployed on-site. You believe customers should be using X but they don’t have an I.T. budget. What then? According to you they are insecure then because they don’t have the magical box that stops all threats.

Conclusion. You are entitled to your opinion. I will respect that fact that you have one on this topic but i have to disagree on every single point you made because it doesn’t stand up to the reality of what companies are going through and what security truly is (its about compromise). I love the Palos as much as the next guy but when for firms whos only requirement is L4 blocking, some GeoIP filtering why should they spend the money necessary for simple tasks? Engineering is about requirements not about “must do this” and “must do that”. Anyone can follow a whitepaper of best practices given to them by a vendor. A monkey can do that.
Select the best tool for the job. Or according to you, everyone should have a Bazooka to open a can of tuna-fish because its a “MUST”!

one last thing…
Security is a mindsight not a firewall.
Look at Otka. Your entire argument has been proven invalid.

I am a bit disappointed that this is turning into a “I know more than you” battle. For what it’s worth, and since you seem to think I don’t know what I am talking about: I am a security engineer, and have been for well over 25 years. I work for large enterprises, including F500s. So I like to think that I have some knowledge in the field.

It may also be the case that we are talking past each other. I am not a native english speaker, so I tend to over-complicate things when trying to express myself in english. So bare with me while I try to address your points:

When I say that OSS firewalls are “bad”, I am not talking about their technology stack. I use a lot of OSS and I am not trying to bash it. But in the context of security, what OSS is lacking - and that is so super important - is the security intelligence. It’s not about how you code your product, it’s about what you product “knows” about threats.

I am not aware of a single OSS security product that has a substantial security “feed”. There are tons of open and free feeds available, things like the OpenPhish database or AlienVault. The problem with all of them is that they are lagging behind severely, they are not up to date. And keeping these things up to date is what I am talking about.

If pfSense + Squid would be able to tap into the security operations of a large vendor, I wouldn’t be saying pfSense is bad.

I hope I am making some sense.

Yes, and again, it’s not about the product itself, it’s about security intelligence. Security data. I don’t know what other word to use.

Just because you know two companies that don’t use SSL Decryption doesn’t mean that’s the norm. As a freelance security engineer, I get to see a lot of large enterprises, and 99% of them use SSL decryption. Those that don’t are really playing with fire. Over 90% of HTTP internet traffic is encrypted. Those two companies you know have a huge blind spot there and it’s really negligent to not scan that traffic.

Yes, SSL decryption is complicated. Yes, there are things you can’t scan or where it plain out fails due to things like pinned certs. And yes, there are regulatory challenges where you can’t decrypt certain traffic. You make exception for that and decrypt the rest.

Sure, I can’t know for certain either, but I am speaking from empirical observations. Just go to r/msp, as an example, and MSPs are often choosing what works best for them or what is the cheapest possible route (like pfSense). That isn’t always in the customers’ best interest.

Because as I have outlined above, it puts those companies at severe risk. Companies that think all they need is “L4 blocking and some GeoIP filtering” need to be educated about the risks. Given today’s threat landscape, “L4 blocking” is next to irrelevant. That is a reality. One that even small businesses need to face.

Unfortunately, security is not that simple. If security was only about opening a can of tuna, I would agree with you. But it’s way more complicated than that.

And there are actually easy enough and cheap enough methods to achieve a good security posture without requiring a Bazooka. I named one example in my first post, Cloudflare’s Team product, which has a free tier and comes with a boat load full of security products that when bought as single point solutions from different security vendors, would cost you an arm and a liver.

No. It hasn’t. The fact that Okta was breached changes nothing about what I said. It just proves that Okta itself was negligent in their security practices.

There is no 100% security. Even the best of the best with the best products deployed will get breached. Security is not so much about prevention, but more about risk mitigation.


There is no 100% security. Even the best of the best with the best products deployed will get breached. Security is not so much about prevention, but more about risk mitigation.

  • you not only validated my point completely but undermined all the points you were making regarding open source firewalls. So what is your actual argument against them because its still not clear and honestly I’m gathering that you dont know it either. Firewalls -of any kind-mitigate risks. There is no 100% security. Agreed. The best products deployed will get breached. Agreed
    So again I’m asking you, what is the actual point you are making because you are all over the place.

Are open sourced firealls bad? Judging by your points, they are not.
Having a strong security posture can be accomplished really with any tools.

Im seriously asking…What is your argument here? You are not making any sense. You are affirmative with one statement and then completely backtrack on what you said on another.

I was not expecting this to devolve into this debate.

My argument is that open source firewalls - and as a matter of fact, any open source security product - is lacking vital security intelligence, and hence, always has demonstrably worse security.

Maybe this makes it clearer: A Palo Alto firewall would be complete garbage without all the security subscriptions that PA offers. It would be just as bad as pfSense (in terms of security).

So you are saying that the paid versions of Snort rules and the Emerging Threat rules are garbage? Cisco owns Snort and if I’m not mistaken uses those rules on their security devices, the same rules you can buy for pfsense, OPNsense, and probably a bunch of the high priced devices on the market.

But you are right, community based rules lists are not zero day, they are almost always after an exploit has happened (just like almost every virus scanner). To some extent this also applies to the free rules that Snort and ET offer, and the update period for these free resources is certainly not every hour like some high end devices and paid rule sets might offer.