[SOLVED] Layer 6-7 Internet URL Filtering

I found a program for Windows, Kurupira. I'd love to find an equivalent for older Linuxes, but that's besides the point. When I install it on a Windows machine, it does exactly what I want for the price I want, free.

"However", it only does so on one machine at a time. I want to be able to do this to my whole network! I don't want to buy a sonic wall firewall, because it's too much, even though it does so at layer 3 of the OSI model.

Whatever I get, I would prefer no monthly subscriptions and would strongly prefer free and open source. I would not like easy work arounds to disable it.

I want filtering of URLs, both http and https, so I can block a specific google search or something similar when needed. I would like so in ALL browsers, both open source and not. When I'm using Windows 10, I typically use a combination of Edge, Chrome, and Firefox, while when using Linux, I use Firefox exclusively.

I would like to try and take that program, and install it on a "server" Windows XP or 10 machine (because Windows is what the filtering programs will probably run on), then I want to mess with my gateways or something, until I route all Internet traffic through it, to stop in at that box, then go back to the router and through it to the Internet.

By stopping at that box, I want it to filter out EVERYTHING in my network. Will this program do that if I do as described, or do I need another program? If I should or need to use another program, I need suggestions on which. The logging is optional for now. The filtering is not. I'm preparing for a nephew who isn't born yet.

Quote:

Originally Posted by des_a I found a program for Windows, Kurupira. I'd love to find an equivalent for older Linuxes, but that's besides the point. When I install it on a Windows machine, it does exactly what I want for the price I want, free. "However", it only does so on one machine at a time. I want to be able to do this to my whole network! I don't want to buy a sonic wall firewall, because it's too much, even though it does so at layer 3 of the OSI model. Whatever I get, I would prefer no monthly subscriptions and would strongly prefer free and open source. I would not like easy work arounds to disable it. I want filtering of URLs, both http and https, so I can block a specific google search or something similar when needed. I would like so in ALL browsers, both open source and not. When I'm using Windows 10, I typically use a combination of Edge, Chrome, and Firefox, while when using Linux, I use Firefox exclusively. I would like to try and take that program, and install it on a "server" Windows XP or 10 machine (because Windows is what the filtering programs will probably run on), then I want to mess with my gateways or something, until I route all Internet traffic through it, to stop in at that box, then go back to the router and through it to the Internet. By stopping at that box, I want it to filter out EVERYTHING in my network. Will this program do that if I do as described, or do I need another program? If I should or need to use another program, I need suggestions on which. The logging is optional for now. The filtering is not. I'm preparing for a nephew who isn't born yet.

Sounds like you should look into installing pi-hole on a dedicated machine. It can monitor your whole LAN, Windows machines, too.

That said, by the time your nephew is mature enough to use the internet without adult supervision, thinks will have changed significantly...

I just looked into pi hole. It says it blocks dns, but not urls. What i want to do, is block urls. I can already block dns, but to find a solution with that, I'd need to block www.google.com, but that would be too general and would be too much. I'd rather, for example, block https://www.google.com/pizza, but not https://www.google.com/toenail.

Quote:

Originally Posted by des_a I just looked into pi hole. It says it blocks dns, but not urls.

I guess you mean "IPs" instead of "dns".

This is the same impression I got after reading a few headers on their website, but I have been told that it is much more powerful than that.
Read the docs.

You might be better off with a router that knows deep packet inspection, although it's not that easy to find an open source solution. Maybe opnsense can achieve this? https://opnsense.org/
With an external network device you cannot look at the URLs themselves over https with deep packet inspection, but only at the SNI - server name indication (which is the hostname that identifies a web service) - but there's also such a thing already as encrypting the SNI with TLS 1.3, although I think it's not widely used.

Kurupira, which I haven't heard of before, being installed on the machine itself, can probably see exactly whatever URLs you're trying to access (maybe it runs as a sort of local forward proxy?), so that's quite a different setup.

In corporate environments (I know you're not interested in that, but just for the sake of comparison) you can have both agents on the machines themselves and firewalls which communicate with these agents (e.g. paloalto) to obtain a whole perspective over your network and machines.

Usually on a system that has some sort of firewall one can use it to send internet to the lan and be able to use that across lan. Your lan will connect to the windows internet sharing and then go to wan.

Posting here, because it's not really a new problem. I was researching it, and found out, that maybe squid can be configured to do this, with deep packet inspection, and if it's a transparent proxy, then it's harder to bypass (someone would have to reset a router or make their own network). Also it's easier to configure.

DD-WRT can do that, but it's hard and can't hold a bunch of stuff. Squid on a server machine might be second best, as far as cost. But ubuntu server needs to have squid recompiled to have that feature enabled.

So that led me to opensense like was suggested. I instealled it and tried to rewire. Due to the rewiring, there would have been a fire, if I left it wired that way, or machines would have burnt out. So I can't run it on my antsle, acting in an advance configuration. So I decided to purchase hardware for it...

...Which led me to pfsense! That's because the hardware I bought can run either. It's more well documented. I hope I've got the community version on it, because I don't want to pay for it, unless I can't do it for free.

It's instealled and working as far as the wiring. Now I just need to configure it! Please help me attempt to configure it. First thing is to "put mainrouter in the DMZ". That's what it's called under DD-WRT. Same thing, is what I want to do, but this time with mainrouter, which will allow my existing port forwards to work (I know it's not the best way, but it's good enough for now). Then I can begin testing the squid funtions. I may very well want to do more advance stuff later. I could replace mainrouter, except for I can't, because I need wifi and I need it to be good at it. Can't install mainrouter as access point, because it's more complicated and harder to understand. Simpler to understand is way better.

By the way, just got done with school last month. College!

So I successfully port forwarded all ports to mainrouter. From home network, it won't let me access them with pfsense external ip domain name (no ip name). From other networks, it will let me now. So I guess, with a little adjustment, the first step really is done.

Now, for testing purposes, I need to make pfsense allow me to access things from outside from inside (using the no ip domain name from my own network). DD-WRT automatically does this, but I guess pfsense needs to be told. It probably thinks there's an attack if I try to do that, which is false. Then the first part will be complete. I can always go back and port forward other potocols or perhaps do a 1:1 NAT, if I have to.

Next step after that, is to start blocking things. As soon as I learn how, it will be good. I'm pretty certain I can do that, just need to learn how. I will also look at the pfsense docs, to see if I can figure it out. The only reason I couldn't figure this out before, is I'm lacking pfsense terms, and trying to use DD-WRT terms. If I have to, I'm okay with using opensense if pfsense fails. Just can't find enough docs to do it, but I heard it's definately better, except that.

By the way, I'm trying to set up realatively like cooperations, except smaller and cheaper, free of monthly costs if possible. This is just a home network though and I don't think for now it will ever be anything but that. It's just that some cooperate technology works for me better than doing things a harder way. I've even considered NAC, but that's another story... Need most of it to either overcome or help with disability. Helps me achieve functions like organizing, when fixed again.

@Vincix is absolutely correct towards dpi functionality for what you want to do.
You will not be able to block urls without putting a certificate on every client device and then having another device/router acting as the mtm. This mtm will be doing the redirecting/blocking and logging.
We used something like that in the past and it is serious enterprise gear and not cheap. I deep dived into one while I had support investigate a 'bug' and it was Linux inside ( ͡~ ͜ʖ ͡°)

Btw, dns is now encrypted too and from your browser...

You could look at other software to load onto the clients devices such as net nanny, pluckeye, etc..

I'm pretty sure my pfsense that I invested in will work. Closing not because it's completely solved yet (yet to be implemented), but because actually doing it, is really a seperate task from trying to find out what will work. Also closing for age. Just wanted you to know before I did that though. I can always start another if I really need to, but the intent is not to go rambling on when I think I have the hardware, just not yet the software ability to do it. And there's enough suggestions that I can always, now understanding more, try another if I'm wrong. Hopefully that makes sense! Closing!