Home User with Bypass Rules

[sky-knight]

Well, I don't use uPnP... I don't like it. But, it's there and yes if you want to HOST multiplayer games on various consoles you're going to need it.

As for securing Web Filter, all that stuff you just said? And I mean ALL OF IT.

Throw it away...

You're thinking about a DNS based black list, because that's what you've got a frame of reference to understand. Untangle's Web Filter is NOT a DNS based black list. It does use DNS to get its data from the database, but the thing that's inspected is the TCP session carrying HTTP or HTTPs itself.

That means... as long as Untangle is on the path to the Internet, Web Filter is engaged. It doesn't matter where the client resolves its DNS, web filter is in the way. Now you may want to secure your DNS resolution pathways, and that's a valid concern. But you're doing that to harden DNS, not to ensure the content controls work.

The operating mode to bypass it, is either a configuration that does so on the Untangle itself. Or, you have to use a 3rd party VPN solution so Untangle doesn't see the HTTP/HTTPs anymore... or simply use another network connection, like cellular or the neighbor's wifi.

[sclawrenc]

Thanks sky-knight.

In order for Web Filter to inspect encrypted traffic (HTTPS), wouldn't I need to turn on SSL Inspector?

How would you suggest hardening my DNS on Untangle? I'm assuming this would mean I select which DNS servers to use and then try to force all my kids devices to use those DNS servers?

I know I have a lot of questions. Do you know of any parental control guides for setting up Untangle?

Edit: I'm looking into some of the Untangle Wiki stuff and other posts to find some more information.

[jcoffin]

Web Filter will filter based on domain name (SNI) on HTTPS without SSL Inspector.

[sclawrenc]

Web Filter will filter based on domain name (SNI) on HTTPS without SSL Inspector.

Thanks jcoffin. That makes sense. The only way to inspect all HTTPS is to install a cert on each device which I might or might not do later.
I am looking into ways to prevent google searches that will show inappropriate images. For example, if I search for "porn" using google, I will still have porn images displayed. I'm just scratching the surface on what's possible in Untangle. I'm assuming this is because Google searches are encrypted. How does Untangle suggest handling the encrypted DNS connections which I think are the reason I'm able to search for porn images successfully using Google even with the porn category block on Web Filter.

[sky-knight]

Thanks jcoffin. That makes sense. The only way to inspect all HTTPS is to install a cert on each device which I might or might not do later.
I am looking into ways to prevent google searches that will show inappropriate images. For example, if I search for "porn" using google, I will still have porn images displayed. I'm just scratching the surface on what's possible in Untangle. I'm assuming this is because Google searches are encrypted. How does Untangle suggest handling the encrypted DNS connections which I think are the reason I'm able to search for porn images successfully using Google even with the porn category block on Web Filter.

Google actually does a fair bit of that for you, as it by default filters. Controlling what Google does outside of Google is infuriatingly difficult sadly. There is the enforce safe search option, but that requires SSL inspector to be enabled and configured just right to work.

[sclawrenc]

I did a ShieldsUP! port scan, and I noticed that the default Untangle setup has Allow Ping and Allow Dynamic Routing BGP enabled. Do you know why they default to this setting?

[sky-knight]

Yes, Ping is allowed as is OSPF, and BGP, and a few other things.

Now that we've established that your GRC scan is woefully incomplete... Should we continue in discussing the rampant paranoia that comes from the full stealth crowd?

You can go into config -> networking -> advanced -> Access Rules and see the screen I posted above.

You can disable the Allow Ping, and Allow Dynamic Routing rules and you'll get back your stealth light. But, as I hinted at above that light is utterly meaningless. All you're doing is disabling troubleshooting tools. Though, there isn't much harm in disabling those three rules, as long as you're aware you've done so. But are you more secure for doing it? No... not at all.

Whatever you do, don't disable that block all rule at the bottom. Under no circumstances is that OK! Not even for testing... not even for "a few seconds".

[CMcNaughton]

Whatever you do, don't disable that block all rule at the bottom. Under no circumstances is that OK! Not even for testing... not even for "a few seconds".

Screen Shot 2021-02-17 at 8.08.17 AM.png

[sclawrenc]

Thanks to you both. What is the Untangle recommendation on whether or not to enable IPv6? I believe it is disabled by default in Untangle.

[sky-knight]

Thanks to you both. What is the Untangle recommendation on whether or not to enable IPv6? I believe it is disabled by default in Untangle.

I'm not sure what the question is? The screen shots above are the defaults, the defaults are what is recommended.

But if you're wondering if the v6 boxes should be checked? YES! That makes the rules interact with v6 if it sees it.