EFW Support

This article describes how to block HTTPS (port 443 - SSL) content and other categories or your own custom lists.

In the case of Facebook I can block facebook with EFW unless a student uses HTTPS (port 443 - SSL) to connect to it. However, OpenDNS will block the DNS request regardless of what EFW does. You can get to P.l.ayb.oy using HTTPS as well and EFW will not block it.

My solution:  point the EFW DNS setting in network configuration to OpenDNS.

Open DNS isn't too bad to setup. First, go to the OpenDNS (.com) website and create account, which is free. They do have a pay for option with more features, which I haven't needed yet.

You'll have to add the public IP address of your EFW that will be making the requests. OpenDNS will need to send you an e-mail to verify the address and such. I've had to send their help desk e-mail explaining that my e-mail server lives at a different IP, which they've accommodated for me pretty easily. It just takes a little extra time.

Once you get your network added you can start changing the settings for it on the OpenDNS website. It is pretty straight forward. You can block categories and set custom black and white lists. They allow a little bit of customizing to your blocked paged, I added our school's logo to it.

For this example, the only category needed to be blocked is “Social Networking.”  I also recommend blocking “Proxy/Anonymizer.” For our needs I also blocked 13 other categories.

Once you get your account created and some settings taken care of walk through the "Network Configuration" wizard on the "System" tab of EFW and set the DNS to point at OpenDNS, which you can find the IPs for on the bottom of the OpenDNS website. Or, if you prefer you can point the DNS settings on your computer at OpenDNS, which only makes sense for testing purposes.

Test it.

Hope this helps.

I agree using more than one "filtering device" is the way to go.

I also think your title is a bit misleading: I was hoping to find a way to block https on efw itself  :)

I'll post back as soon as I have a solution to this.

The title says "a work around." That isn't misleading.

I look forward to seeing your solution.

Well your solution is taking away the scheduling that's available in efw.
Don't get me wrong, OpenDNS is great and I've been using it for quite some time  :)


After some digging the only robust and convenient solution seems to be blocking by IP addresses:
- robust because DNS can be bypassed if you get hold of the IP.
- convenient because using the endian proxy blocklists you can schedule the blocking, e.g. have webmail domains open only for an hour at noon.
  Also, you have to whitelist these domains on OpenDNS.

That should be an ok solution.
I'll test this with a cron script to get the IP addresses from a domain list file; those addresses are then to be blocked by endian's dansguardian.
Running that script once a week might be sufficient because the addresses should not change too often..but that's only a wild guess. The frequency can be determined later some time.

EDIT: the contentfilter really doesn't care about https so an IP list is here not of much help. The IP list has to be stuffed in an outgoing firewall rule.
Unfortunately there does not seem to be a schedule for these. A cronjob with an iptables command should be a viable solution.

See also this
http://www.efwsupport.com/index.php?topic=525.15

Thanks for the heads-up. I've come across that thread :)

With the outgoing firewall enabled to block SSL IP addresses, the not so nice part is that when the user actually tries to go there, the connection just times out which is less precise than a block webpage telling about why you cannot go there.