Let’s assume that you have installed and configured Squid Proxy to block several categories of websites that you don’t want your users or clients to visit ..
In some places maybe interference on client machines or applying group policy on AD is not strict thing and might give the option to users to pass through proxy rules .. so I have considered the same thought and said after I have configured squid proxy to block certain websites (Porn, chat, social…etc) using the Wpad autodiscover method.. I said in case I change the DNS the user will pass through the proxy and find away to connect to those blocked websites.
Then I thought what if I can block external DNS queries and let all the DNS queries pass through the Pfsense or my internal DNS..
To do so I have configured my PFsense’s WAN DNS IP to Google (System>General Setup>
I have added my Local DNS to the DNS resolver (Pfsense Version 2.2)
Next I will go to the Rules and go to my LAN (DMZ in my case) and create 3 rules in total as following:
The rules in the figure below will allow any DNS query request from any source through only (Local Address of the Pfsense) and the second rule will allow DNS requests from the local DNS Server to any DNS server.
Third rule will blcok any DNS request from anywhere else.
Which in result will allow all clients to forcefully use the local DNS to resolve names and resolve IPs, but still even if the user changed his Local LAN/Wifi DNS IP to Google still he’ll be able to connect to the allowed websites from SQUID but he/she won’t be able to resolve FQDNs through (Nslookup command) for example.
I’m attaching screenshots to demonstrate how this is working flawlessly.
As you can see below I have opened google, Flickr, Facebook, gmail, searched for local time and it all worked according to the Squid rules and while still using (8.8.8.8)
Now I will change the DNS back to the local DNS IP and see if i can resolve internet addresses without an issue and connect as well, which worked fine too.
This is a simple article but I’m sure it could be very useful for those companies who want to block wide range of categories and force it on to their employees. or for families who want to avoid their kids from doing naughty stuff or watch violent websites.
If you ever thought of hosting your own Public DNS for your own domain then this article is going to be of help for you as I will go through the process of hosting my own Public DNS for my freely acquired domain www.moh10ly.cf
These free domain providers have poor Public DNS capabilities and usually lack of many DNS records e.g. (SRV, TXT, PTR) and that what made me personally want to go on and host my own public DNS for this domain.
I’m going to use Pfsense 2.1.5 for this demonstration but I guess 2.2 also works as well but haven’t tried TinyDns on it yet.
Ok so to configure your own nameserver, first you must have a public domain (domain.com) ..
In this example I will register a free domain from this registrar: www.freenom.com
The process for registration is pretty simple, you will have to follow the wizard and validate your email then sign in to
your portal to edit or configure your free domain.
I have already added a new domain for myself which is called ( moh10ly.cf )
To configure name servers, You must fulfill the following prerequisites:
Public static IP.
DNS Package on Pfsense
Firewall that supports static NAT.
Next step: I will click on Manage domain to change the DNS configuration to point it to my own name server
When you get the following window, click on Management tools and choose “Register glue records”
Very important note:
Next add your Name servers (They don’t need to exist as we will create them later) but you will have to create 2 at least
and you can point them to the same Public IP address.
Scroll down and you will find an option to add the second dns, you can call it dns2 and point it to the same IP address.
Next save changes, then click on Management tools –> Name Servers and there if you couldn’t find the new name servers
you have configured then enter them here.
Save changes again
Now let’s go on Pfsense and setup our Public DNS (Name Server), You will have to go to “System>Packages>Available
Packages” and there download “dns-server” or “TinyDns”
When you have finished installing TinyDns you will find it under “Services” menu. Click on it
Once you are there, click on “Settings tab” and on the binding IP address place your Public IP which you’ll use for the name
servers. And make sure you use the WAN NIC to listen on.
Save and click on the “New domain wizard” to setup your domain
Click Next
On the next window configure your domain as in the following, make sure that it matches your configuration on registrar’s
domain.
Click Next and Finish
Once finished, go to the Add/ Edit record tab and there you will find 4 created records
Next create the root DNS record which is . And point it to the same public IP and any other records that you might have an
installed role for like Exchange, IIS ..etc
Now it’s time to configure the firewall to allow inbound queries on port 53. here’s the rule that I have created under
(Firewall\Rules) because I have only one Public IP address on WAN I won’t use a static NAT rule.
I will go back to TinyDns on Pfsense to see the incoming requests for name resolving from public clients.
Under the logs tab I could see the requests I was making from my PC using google as my DNS.. So everything works fine.
That’s it, the configuration of your own Name server is done.
Configuring Snort on Pfsense (will be Updated with the latest version soon)
If you would like to protect your system from any public attacks e.g. (Exploits, Transitive trust, Data driven, Infrastructure, DOS, Magic… Etc.) then you should consider deploying IDS or IPS system to detect and protect your network from any attacks.
Deploying Snort
In Pfsense the famous open source firewall, you have the capability to deploy Snort which is one of the most famous and old ID/PS systems around.
In order to do so you will have to go to Packages from System/Packages and install it
After clicking on the packages button, you will get a list of packages and among them snort will be listed there
Click on the + on the far right to start the installation process.
I’ll Click on Confirm to continue
After it’s been installed now you’ll be able to see it on the Services menu tab.
Click on Snort and let’s go configure it.
Before you start configuring Snort, you must know that in order to successfully get it to work you must be registered in at least one of the snort communities which publishes important rules that tells snort what to check.. Similar to the firewall’s rules.
Register on Snort’s Website
The websites are as following and you can find their settings under the Global settings tab in snort window
I will sign up to Snort free account and configure all of the snort supported rules in order to get the most of it. After signing up I’ll need to activate my account.
I have receieved the confirmation now and I’ll confirm my account now, Once confirmed Snort will provide you with a code called VRT Oinkmaster confirmation code.
When your account is activated, you will need to go to your profile by clicking on your activated e-mail top right and you will find it on the left side. Copy the code and paste it to your snort on pfsense.
Just like this
So after I added the code this is how my Global Settings tab looks like (I enabled all the other free rules as well)
Now I will go to Updates tab and start updating rules tab, After clicking update this is how it will look like:
When finished this is how it’ll look like
Back to the updates tab you’ll notice that all the enabled rules have been updated .
If you are connecting to Pfsense from any location where you are planning to enable Snort Interface for then before you enable snort you must consider going to Pass Lists and add your IP (Either private if you’re planning to enable the LAN Interface or Public IP if you’re planning to include WAN Interface).
In order to create a Pass list, you will have to create an Alias and add the Ips you would like to include in the pass note that these IPS are never going to be checked or filtered by Snort.
In order to create an Alias List, click on Firewall Tab and scroll to Alias
Once in IP list page click on the + button far right to add the Ips that you would like to pass.
From type select the type of hosts that you’d like to include there, for me I’d like to include only a couple of Ips
Click Save and Apply then Close then go back to Snort’s Pass Lists and click on + to add new Pass list.
Select all the Networks, WAN IP, GATEWAY, DNS and finally the Alias that you have created and save.
Once saved, this is how the pass lists is going to look like
Now we can go back to Snort Interfaces and enable the WAN Interface for snort. I’ll click on Snort Interfaces tab and click + to add the new interface
Below I will select block offenders in order to protect myself from DDoS attacks and other attempts to crack internet exposed servers e.g. (FTP, Http..etc) .
Here from Pass List I will select the list which I’ve created in the Pass List tab
As you can see below when the icon is red it means that the Snort is not running and you will have to press on the red icon to turn it on.
After enabling the WAN interface you will have to go define some rules and enable them.
Let’s define some rules for this interface e.g. FTP in order to do so I will click on the E next to the WAN description far right on the top snapshot.
We should go to WAN Categories and select different category in order to apply rules.
Note:
Enabling all rules might affect your VM or PM’s processor performance.
Now I will select all the rules from the rules list below and that will enable all the rules also that are included in the Snort GPLv2 Community.
Once added, you will have to apply changes and then click on Apply …. And for any reason if the service did not start as in the below snapshot then you should navigate to Status tab and check the “System Logs”
After doing some digging on this error it seems that it’s caused by the rule “Sensitive Data” and after disabling all the rule set in this rule I was able to start Snort on WAN again.
To disable the rules simply click on the “Disable all rules in the current Category”
When this is done, I will test snort if it’s working by simply try to hack into pfsense’s portal by using wrong passwords for let’s say 10/20 times and see if my IP will get blocked (I’ll use a different Public IP which is not in the pass lists)..
After trying about 7 attempts with wrong username and password I tried refreshing the page
Here is what I got
I will go check Snort blocked list and see if the IP that I tried connecting from is there note that the Public IP which I was trying to connect from was
As you can see below the IP has been blocked and the alert description says it as it is (http_inspection)
So that means that our snort works as it’s supposedly expected to.
In this post I will guide you through the configuration of how to enable SSH accessibility to Pfsense on a non-standard SSH with private keys in order to more strengthen the security of connecting to your firewall.
First thing I will open the web browser to Pfsense then from System tab menu I will click on Advanced
I will scroll down to Secure Shell and enable the secure shell and use different SSH port rather than the standard one 22 and also disable password login for secure shell in order to use configured keys for the user that I wanna allow to connect to SSH.
After this option is enabled I will go to User Manager and create a new User by pressing on the + button far right
Then I will want this user to be part of the admin groups in order to have the required privileges to be able to configure anything from the SSH window without any issue.
Then before I save this user I will scroll down and enable the Authorized Key option.
In order to configure a Key, I will need to use a tool to generate a public and private key for the authorization of the user.
Using Puttygen Tool
In my case I will use Puttygen tool which is free and available to download anywhere on the internet, I will also attach the tool down in this page for anyone to use.
I will run Putty Generator and change the Number of bits in it to make the key harder to crack. So I will put 2048 bits instead of 1024.
I will click on Generate and move my mouse within the putty generator window until the key is generated.
You will have to keep moving your mouse cursor within this window in order for this bar to finish generating your key.
As you can see below the Public and private keys are generated but you will have to type your own “Key Passphrase” as you will need it when you connect to the SSH session.
I will copy the Public key where it says “Public key for pasting into OpenSSH authorized_keys file” and paste it in pfsense in Authorized Keys window
Then Now I will save both Public and private key in a folder for my own use. Let’s create a folder called (Pfsense_SSH_Key) and save both keys in it
I will need to only use the private key with an SSH tool to connect to Pfsense e.g. Putty.
Now I will get back to the user and add some effective Privileges that will allow the user to connect to the SSH, I will click on the + button
And from the System Privileges I will add user – system – shell account access and SSH tunneling
Then save these settings and then save the user settings.
Then configure a Firewall rule with the new SSH port that I have configured in Advanced window, I will go to Firewall tab -> Rules then create a new rule that will allow my public IP address (my work IP address) to my Pfsense’s WAN Address (My Home IP address) on port 2222.
Testing Connectivity
Now I can test SSH connection using Putty tool (Not Putty generator) to see if this works as expected.
Type the IP address in the hostname field, then the port address that I configured for SSH and select SSH under Connection Type.
Before clicking on Open to open the connection I have to load the private key from SSH -> Auth
Now I will click on Open, it should give you a warning when it opens up
Click Yes and continue then type the Username that I setup and the passphrase that you set it up.
After successful login it will show the following and here you can startt
I am going to try and show the network configuration by typing Ifconfig …
So everything seems to be working as expected, If you want to provide more admin privileges to this particular user you will have to login as the admin and from the user’s “Effective Privileges” section add more system privileges to it.
How to Block Facebook on HTTPS on Squid proxy server without importing IPS/CIDR or configure Clients browsers for the Proxy settings using the WPAD Autodiscover for Squid feature
Note:
Before you begin reading this article, you must have the proxy filter configured to deny SocialNet in the blacklist in Service / Proxy Filter / Common ACL
In order to block Facebook or any other website on HTTPs protocol on pfsense (SQUID) without finding all the CIDR or IPs to block facebook or any other website’s IPs we will have to use the Squid proxy’s Autodiscover feature which uses Wpad file .. Let’s say similar to how Exchange uses Autodiscover’s XML file.
Prerequisites
In order to block sites on HTTPS you will need to have SQUID Guard proxy installed and configured on Pfsense. If you don’t know how you can look it up here.
In order to use this feature you will have to disable the transparent mode on Squid server, To do so navigate to proxy server under the Services Menu then Proxy Server then un-tick the Transparent HTTP proxy.
You will need to have the DHCP server up and running and you will need to create a DHCP option 252 that will provide the HTTP path to the files that we will create further on.
DNS Server configured for the domain in order to add a required A record value for the wpad. The clients are going to look that up through the DHCP option mentioned in step 3.
Autodiscover Files
Then we will have to create the following files in Notepad and save each of them with a specific extension as in the below snapshot
The 3 files contain the same contents inside them “This is a single file with a JavaScript function which tells the browser how to find a proxy hostname and port” which is Squid Proxy server’s IP or Pfsense’s IP, I will open one of them and show you how I have configured this file.
Note: The IP 10.10.0.155 represents my proxy server (PFsense in this case) which has Squid installed and configured on it.
Once these files are saved, I will use a very simple HTTP server tool to host them on any of my servers on a specific port which clients can reach without any problem. My favorite tool is HFS which you can download from here
After running the HFS appliaction I will run it on the port 8085 and load all the files as in the following snapshot
You can simply load the files by dragging and dropping them under the “Virtual File System” on the right pane.
DNS Configuration
Once this is done we will have to configure the WPAD record on our DNS server with A record pointing to the server where the files are hosted “In my case I have installed the HFS on the AD/DNS server” that has the IP 10.10.0.150
Next I will go the client and check if I can resolve this wpad …
I have tried to resolve the name but apparently the nslookup is not finding the record that I have created although it’s in the DNS, I have tried ipconfig /flushdns, tried restarting the DNS service but nothing solved the problem
Lastly I went to the DNS logs and checked if there’s anything worth noticing there and here’s what I got Error event ID 7600
Googling online with this error got me to this Microsoft KB
All I had was to open registry editor and delete the wpad key from the GlobalQueryBlockList value as following
Here is what it looks like after deleting the wpad
Click Ok and make sure you Restart the DNS Server.
On the client I will flush the DNS cache and do another nslookup attempt.
DHCP Server configuration
the DHCP server’s options as required in the prerequisites earlier. I have my DHCP configured on Pfsense server and now I will configure the DHCP as following.
Here I have clicked on Advanced next to the “Additional BOOTP/DHCP options and in Number I entered the DHCP option that I would like to configure and chose String since it’s WPAD. And on the value side I entered the path for the Wpad URL where I ran the HFS application and made sure it’s accessible by clients.
Next I saved everything and will go to both the HFS to monitor clients activity if they are requesting the file or not and I will go the client and request Facebook on HTTPS.
Note:
In order for the autodiscover (Wpad) feature to work your Internet explorer/Firefox must be set to use the Audo detect settings.
On the HFS Server (My AD) I will look up for any logs that will be reported once I start browsing. Now it’s empty
I will go back to the client and browse Google for example.
Here, I have tried on the client side to open Facebook on https but it didn’t work but other websites are working just fine!
What happened on the HFS server is that the client on Internet Explorer has requested the file “Proxy.pac” file for the settings which means that all of our settings are working properly.
Note:
The only thing I have done on the Proxy Filter to disable Facebook was to Socialnet which includes all the social media websites. In case you want to block only Facebook and leave twitter you will have to extract the blacklist and create your own facebook folder and text file to include all the facebook URLs and then upload it to your own FTP or web server.
To create a script that would auto-login you to Office 365 or SSO or Windows Azure Active Directory, Copy the following Script in notepad and save it as auto-login.ps1
Once the file is saved with the ps1 extension you can run Powershell as administrator, Drag and drop this file into Powershell and it’ll login you automatically.
This will export a file called “ExportLicenseUsage.csv” to your C root drive. you can open this file with Microsoft Excel and find out all the useful information that you’re looking for.
Hope this helps
Testing Office 365 SMTP relay
In order to test Office 365 SMTP relay you will have to create a user with an Exchange online license. After the email is activated for this user you can test this user for relay with the following powershell.
First connect to Microsoft Online service with this user that you’ll be using for relaying.
$msolcred = Get-Credential
Next edit the following powershell with the user’s e-mail and the recipient’s too
This test is known as Client SMTP submission you can also use a different method for multiple devices where you can configure them all to point to a single server (IIS) in a method known as IIS for relay with Office 365 however, all the methods what involve office 365 (Only) for relay will require a user with Exchange online license assigned to it.
If you have configured Hybrid integration between Exchange 2010/2013 with Office 365 using dirSnyc or Azure active directory sync tool and then stopped the synchronization. The accepted domains and additional domains will be removed from the user’s Attributes on the cloud and in order to add these accepted domains again to all of the Office 365 users..
First we’ll have to connect to Exchange online with the following powershell tool. so Launch Azure powershell as Admin and copy the following line by line.
In order to setup a signature for all office 365 Exchange Online users without manually going after each client and set it up, you can do so by using mail flow rules to append the signature along within each and every out going email. To do so, you will have to go to Office 365 Exchange admin portal, then navigate to Mail flow –> choose Rules and click on the + sign
Click on “Apply disclaimers…”
When the new rules opens up, you will have to give it a name and apply condition for the rule. an empty form looks like this one
but here’s what mine looks like, I choose the sender address includes “Specific domain” then in the append the disclaimer part, I have entered an HTML code which includes all user details
after applying the disclaimer I choose to wrap it up. and then in the exception part I added a rule that excludes adding the disclaimer and signature to any reply message by reading the “RE” word in the subject field.
Now the disclaimer code is as following and you may want to configure it or customize it according to your needs.
Code:
HTML CODE</br> </br> <div style=”font-size:9pt; font-family: ‘Calibri’,sans-serif;”> %%DisplayName%%</br> %%Department%%</br> %%Email%%</br> </br> <div><img alt=”Logo” src=”http://s11.postimg.org/jjdha41wv/mynigga.jpg“><p><p><p>Tel: %%PhoneNumber%%</br> Gsm: %%MobileNumber%%</br> Fax: %%FaxNumber%%</br> Address:%%Street%%</div> </div> <span style=”font-size:12pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#100101;”>Disclaimer</span></br> <p style=”font-size:8pt; line-height:10pt; font-family: ‘Cambria’,’times roman’,serif;”> ________________________________________ </br> <span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=”http://www.companywebsite.com”>http://www.companywebsite.com</a></span></br></div></br> ________________________________________</br> <span style=”font-size:10pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#928E8E;”>This e-mail and any information included within any attached document are private and confidential and intended solely for the addressee. Company name does not accept any legal responsibility for the contents of this message and any attached documents. If you are not the intended addressee, it is forbidden to disclose, use, copy, or forward any information within the message or engage in any activity regarding the contents of this message. In such case please notify the sender and delete the message from your system immediately. Company name also denounces any legal responsibility for any amendments made on the electronic message and the outcome of these amendments, as well as any error and/or defect, virus content and any damage that may be given to your system.</span> </p> <span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=http://www.companywebsite.com>Company Name </a></span></br></br> </div>
I have highlighted the customizable part of the code in Yellow and red so you can change it or configure it according to how you want it to fit for you. The Display name, Department, Email ….etc are all variables for users attributes and they are being pulled from the Microsoft Azure AD, so if your users don’t have any information filled in there then users will likely won’t show anything
Note for the red highlighted link you will have to import only “HTTP” link for the uploaded logo of your company. HTTPS won’t be acceptable or read.
If you’re an HTML noob , you can use the following links for testing and changing colors..etc
Using the w3schools.com website, you can copy the code on the left pane and click on see results and it’ll show you the result on the right pane
See how it looks like
Once you’re done with the code, you will have to copy and paste the link in the disclaimer part on the right pane. next click Save and probably this will take about 10 minutes to be applied or less.
To test if this is going to work, I will go on one of the users that I applied the rule for and fill out their details like display name, e-mail, street ..etc and try to send out an email with this user.
If you run Hybrid Migration Wizard and you noticed that Migrated users from Exchange On-Premises to O365 are not redirected to O365 Owa page then you will have to go through the following to check if there’s an issue and fix it.
In Normal cases, This is done automatically upon running the HCW (Hybrid configuration wizard) but in some cases it might not be found. And therefore when migrated user try to login using the local Exchange OWA page the user is not redirected to O365 OWA and get’s an error.
Resolution:
In order to make sure that redirection is the problem, open Exchange Management PowerShell and run the below command see for ur self if the “TargetOWAURL” is set.
Below in this screen shot, the value for targetowaURL is not set, so we’ll have to set it as in the snapshot after that.
The targetowaURL will point to the OWA of the tenant Url.
I have deployed Hybrid environment for a customer who have Exchange 2010 SP3 with over 11K users. the customer was using SMTP gateway for spam protection and didn’t want to disable or close the gateway through the hybrid environment deployment or after and wanted to have their gateway constantly.
While Microsoft doesn’t support any SMTP gateways in Hybrid environment I had to find a way to configure this gateway to allow any incoming or outgoing emails from Office 365 tenant to Exchange on-premises using the white list feature in all its services e.g. (Anti-Spam, Virus, spoof…etc
After configuring the hybrid deployment, I had a problem with mail flow from/to Exchange Online.
I have checked all Microsoft’s Office 365/Exchange Online/ Exchange Online protection IPs/CIDs in order to white list them or add them to the ignore list on the SMTP gateway in order for mail flow to not be checked from and to Exchange online if the source is Exchange on-premises but that didn’t work until I find a Microsoft article that which was modified very recently by Microsoft 31-05-2016.
The article mentioned that the IP list have been updated, including the removed IPs list as well.
While tracing the logs on Office 365 Message tracer tool I noticed that the connection to the SMTP gateway has been refused due to an IP which the MS article described as “Removed” but it was still used to send emails from Exchange online.
The IP was 213.199.154.78 was greylisted on the SMTP gateway due to it not being added to the white list.
If you read the article you’ll notice that the subnet 213.199.154.0 has been mentioned as removed. so adding the IP to the white list has solved the problem for me
