I recently set up a pfSense box as a trial for transparent proxying in a school. The driver behind this was to try and meet the UK’s Prevent legislation in a cash-strapped organisation. I’m a huge advocate of pfSense, I think it’s an excellent product with a staggering feature set for free. Alternative UTM products could have run the school into thousands of pounds of hardware, support costs and subscription charges, not to mention the cost of a consultant to come in and set it up.
pfSense can use the open source Squid proxy with the SquidGuard filtering add-on as a transparent proxy. SquidGuard can make use of freely available online lists to categorise websites and control access to those categories. However one thing it doesn’t do is notify you when someone hits a blocked category. You can view the logs in realtime and the SquidGuard logs are separated off from the main Squid ones, so you can only see policy contraventions (as well as it rewriting search URLs to enforce SafeSearch, for example) but you have to be looking. A requirement from the school’s IT administrator was that they wanted an email the second someone tried to access something forbidden.
Now given that pfSense is FreeBSD under the hood that should be easy right, just call sendmail, job done. However it’s a very stripped down FreeBSD installation designed for absolutely minimal hardware requirements, so it doesn’t have sendmail. No sendmail, no postfix, no mail command. Email notifications are handled internally via PHP. There is a PHP script in place of mail (mail.php) which you can pipe text to. However the SquidGuard block page is PHP already, and it includes a tonne of pfSense functions out of the box, so why not just use the built in notification handler. Adding the following line to /usr/local/www/sgerror.php worked lovely:
send_smtp_message($cl['a'] . " tried to browse to " . $cl['u'], "SquidGuard Blacklist Hit");