{"id":18472,"date":"2019-09-23T09:11:03","date_gmt":"2019-09-23T09:11:03","guid":{"rendered":"https:\/\/www.firewallhardware.it\/kutter-il-filtro-per-pfsense-opnsense-ideato-per-il-content-filter-e-malware-protection\/"},"modified":"2022-02-17T15:14:00","modified_gmt":"2022-02-17T15:14:00","slug":"kutter-the-filter-for-pfsense-opnsense-designed-for-the-content-filter-and-malware-protection","status":"publish","type":"post","link":"https:\/\/blog.miniserver.it\/en\/pfsense\/kutter-the-filter-for-pfsense-opnsense-designed-for-the-content-filter-and-malware-protection\/","title":{"rendered":"Kutter: the filter for pfSense\u00ae \/ OPNsense\u00ae designed for the Content Filter and Malware Protection."},"content":{"rendered":"<p>[vc_row css=&#8221;.vc_custom_1567441651052{margin-top: 30px !important;}&#8221;]<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">Objective of this guide<\/h3>\n<p>[vc_separator css=&#8221;.vc_custom_1567441743182{margin-top: -20px !important;}&#8221;]In this guide we will discuss how to configure <a href=\"https:\/\/www.kutter.it\/\" target=\"_blank\" rel=\"noopener noreferrer\"><b>Kutter <\/b><\/a> <strong>Content Filter and Malware Protection<\/strong> on the cloud and how to integrate it with our <strong>pfSense\u00ae and OPNsense<\/strong> firewall.JTVCYWRyb3RhdGUlMjBiYW5uZXIlM0QlMjIzJTIyJTVE<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">The hardware and software used<\/h3>\n<p>[vc_separator css=&#8221;.vc_custom_1557400611541{margin-top: -20px !important;}&#8221;]Tested hardware: We tested all our devices with <strong>kutter<\/strong> and <strong>pfSense<\/strong> and <strong>OPNsense<\/strong> systems.<br \/>\nSince the computational load moved to the cloud, we did not experience any slowdown on the tested hardware.<\/p>\n<p><strong>Tested entry level firewalls:<\/strong><br \/>\nThe entire <a href=\"https:\/\/www.miniserver.it\/firewall\/entry-level\/firewall-entry-level-2-nic-apu2-based-2gb-ram-wifi\" target=\"_blank\" rel=\"noopener noreferrer\">APU 2 NIC<\/a> line:<br \/>\nThe entire <a href=\"https:\/\/www.miniserver.store\/firewall\/entry-level\/firewall-entry-level-3-nic-apu2-based-2gb-ram-wifi\" target=\"_blank\" rel=\"noopener noreferrer\">APU 3 NIC<\/a> line:<br \/>\nThe entire <a href=\"https:\/\/www.miniserver.it\/firewall\/entry-level\/firewall-entry-level-4-nic-apu4-based-4gb-ram-wifi\" target=\"_blank\" rel=\"noopener noreferrer\">APU 4 NIC<\/a> line:<\/p>\n<p><strong>Tested Corporate Firewall<\/strong>:<br \/>\nThe entire <a href=\"https:\/\/www.miniserver.it\/firewall\/corporate\/compact-small-utm-3\" target=\"_blank\" rel=\"noopener noreferrer\">Compact Small UTM<\/a> line:<br \/>\nAll the <a href=\"https:\/\/www.miniserver.it\/firewall\" target=\"_blank\" rel=\"noopener noreferrer\">Small UTM<\/a> line:<\/p>\n<p><strong>Tested data center firewalls:<\/strong><br \/>\n<a href=\"https:\/\/www.miniserver.store\/firewall\/datacenter\/appliance-a1-server-aluminum\" target=\"_blank\" rel=\"noopener\">A1 Server<\/a>: Firewall<br \/>\n<a href=\"https:\/\/www.miniserver.store\/firewall\/datacenter\/appliance-a2-server-aluminum\" target=\"_blank\" rel=\"noopener\">A2 Server<\/a>: Firewall<br \/>\n<a href=\"https:\/\/www.miniserver.store\/firewall\/datacenter\/appliance-a3-server-aluminum\" target=\"_blank\" rel=\"noopener\">A3 Server<\/a>: Firewall<\/p>\n<p>The <strong>software used<\/strong> on the appliance is <strong>pfSense\u00ae<\/strong> version <strong>2.4.4-RELEASE-p3<\/strong><br \/>\nThe same settings can be performed on <strong>OPNsense<\/strong> using the same rules.<br \/>\nFor those wishing to learn more about <strong>Kutter<\/strong> features, the <strong>specifications can be reached<\/strong> at the following link <a href=\"https:\/\/www.kutter.it\/\" target=\"_blank\" rel=\"noopener noreferrer\">www.kutter.it<\/a><\/p>\n<p>At the same link you can also ask for a free demo. The procedure is immediate.<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">Introduction<\/h3>\n<p>[vc_separator css=&#8221;.vc_custom_1557400611541{margin-top: -20px !important;}&#8221;]Before starting I will make a brief summary of what <a href=\"https:\/\/www.kutter.it\/\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Kutter<\/strong><\/a> features are, and how to use them to add more security to navigation.<\/p>\n<p>Kutter is a powerful content filter and malware for the network. It protects over 1.2 billion clicks a day in 90 different countries by leveraging DNS-based technology for cloud filtering.<br \/>\nThis technology, for the uninitiated, allows the control of the contents of the web pages requested by the users and devices of the network that we are &#8220;filtering&#8221;, without weighing it down with web proxies (sometimes not efficient), to the cloud.<br \/>\nThe strength is the simple and immediate activation, unlike the old proxies, difficult to configure and often cause problems.<br \/>\nThis type of filter is perfectly suited to businesses, schools, ISP \/ WISP and public administration.<\/p>\n<p>Any device, be it a firewall like pfSense\u00ae, OPNSense\u00ae, Zeroshell\u00ae, IpFire\u00ae, or a router from our provider, will increase navigation security if configured with Kutter.<\/p>\n<p>Furthermore, Kutter is compliant with GDPR standards<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">Before starting<\/h3>\n<p>[vc_separator css=&#8221;.vc_custom_1557400611541{margin-top: -20px !important;}&#8221;]<strong>Prerequisites<\/strong><\/p>\n<ul>\n<li>Have an active <strong>Kutter<\/strong> If you do not have an account, activate it immediately by clicking <a href=\"https:\/\/webfilter.kutter.it\/customerarea\/activate?no-login=1&amp;lang=IT\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> or request a <strong>free 30-day demo<\/strong>. <strong>Registration is immediate and you will be up and running in seconds<\/strong>.<\/li>\n<li>Have an internet connection.<\/li>\n<li>A firewall (in this guide we will illustrate <strong>pfSense\u00ae<\/strong> but it is compatible with other systems &#8211; see below compatibility list).<\/li>\n<\/ul>\n<p>Now let&#8217;s see how to proceed step by step.<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">Customizing the lists<\/h3>\n<p>[vc_separator css=&#8221;.vc_custom_1557400611541{margin-top: -20px !important;}&#8221;]First we need to access our configuration panel by going to the <a href=\"https:\/\/webfilter.kutter.it\/\" target=\"_blank\" rel=\"noopener noreferrer\">Kutter<\/a> web page[vc_single_image image=&#8221;18323&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]Once logged in, we will access our configuration area as shown in the figure.[vc_single_image image=&#8221;18348&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]Click on the networks tab[vc_single_image image=&#8221;18368&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]By clicking on the add <strong>new network button<\/strong>, you will be able to configure your line whether it is dynamic (therefore without a static IP) or static (therefore with an IP perm.<\/p>\n<p>A small menu will open with a series of logos that, when clicked, show how to configure that device in dynamic mode. In our example, we will proceed with the &#8220;static&#8221; configuration and then click on the button <strong>Manual configuration<\/strong> at the bottom.[vc_single_image image=&#8221;18332&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]Simply by following the on-screen instructions, we have configured our network.[vc_single_image image=&#8221;18334&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;][vc_single_image image=&#8221;18336&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;][vc_single_image image=&#8221;18338&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;][vc_single_image image=&#8221;18340&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;][vc_single_image image=&#8221;18342&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;][vc_single_image image=&#8221;18362&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]Now, move to the <strong>Lists<\/strong> tab. You have the possibility to immediately choose 3 profiles already preloaded and configured to block different types of sites.<\/p>\n<p>It starts with the Base profile, up to the more protective and aggressive Alto profile which imposes many more restrictions. It is possible to read below a brief description of the blocked contents.<\/p>\n<p>If you want to customize the blocks, click on <strong>Custom configuration<\/strong>.<\/p>\n<p>Notice below, the classic White and Black lists to add or remove sites (or entire domains) by customizing the profile more.<\/p>\n<p>Finally, <strong>Kutter<\/strong> is able to filter the searches respecting the blocks of your profile, excluding the results also from the search results of <strong>Google<\/strong> and <strong>Bing<\/strong> search engines.<\/p>\n<p>For example, if I have excluded pornographic content from my profile, I will not see these results from Google and Bing engine searches.<\/p>\n<p>In this example, we will proceed to perform a <strong>custom configuration<\/strong>.[vc_single_image image=&#8221;18350&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]The list configuration home page looks like the following figure. A list of categories and 3 columns indicating: <strong>Allow, Block, Program the block<\/strong>[vc_single_image image=&#8221;18352&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]Clicking on the arrow to the left of the category will open the list with the content.[vc_single_image image=&#8221;18354&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]In this example we will show the <strong>Social Network <\/strong>category and show how to authorize access only during the lunch break. Clicking on the clock-shaped icon in the third column (Schedule Block), a menu will open in which to insert the block time slots.[vc_single_image image=&#8221;18356&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;][vc_single_image image=&#8221;18358&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;][vc_single_image image=&#8221;18360&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]We continue in this way until the complete customization of our list (in the <strong>Base<\/strong> example).<\/p>\n<p>You can create a different list every <strong>5 coins<\/strong>; that is to say that an office with 25 nominal users can create up to 5 different lists (employees, administration, management, etc.) to balance the different needs of the company. By selecting the basic profile, and then clicking on the pencil icon, we will be able to choose one of the 5 useful dns pairs, precisely, in case we want to diversify the lists.<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">PfSense\u00ae configuration<\/h3>\n<p>[vc_separator css=&#8221;.vc_custom_1557400611541{margin-top: -20px !important;}&#8221;]Now that our network and our lists have been configured, let&#8217;s move quickly to our firewall. Here we should simply insert <strong>Kutter<\/strong> dns as shown in the figure<\/p>\n<p>go to the <strong>pfSense menu under System, General Setup<\/strong>.[vc_single_image image=&#8221;18366&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]In order for <strong>Kutter<\/strong> to start browsing control, our network will have to use the firewall as a <strong>dns server<\/strong>.<\/p>\n<p>There are three possible solutions to achieve this behavior:<\/p>\n<ol>\n<li>force the network devices to use the pfSense DNS forwarder.<\/li>\n<li>oblige network devices to use Kutter&#8217;s DNS.<\/li>\n<li>Redirect traffic on port 53 to kutter DNS.<\/li>\n<\/ol>\n<p>In this guide we will illustrate the first solution:<\/p>\n<p>we now enable the DNS service from: <strong>Services<\/strong> -&gt; <strong>DNS resolver<\/strong><\/p>\n<p>Enable it and configure it so that requests can be forwarded:<\/p>\n<p>check the checkbox &#8220;<strong>Enable DNS resolver<\/strong>&#8221; and &#8220;<strong>Enable Forwarding Mode<\/strong>&#8221; selecting the interfaces on which the DNS service will respond (in our case only the &#8220;LAN&#8221;)[vc_single_image image=&#8221;18413&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]Next we will create two rules.<\/p>\n<p>We will then go to <strong>Firewall<\/strong> -&gt; <strong>Rules<\/strong>.<\/p>\n<p>Let&#8217;s create a rule that allows access to the dns service of the firewall, the second rule that prevents access to the DNS service for the rest of the traffic.[vc_single_image image=&#8221;18415&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]At this point the firewall will allow the use of only the pfSense DNS Server, which will resolve the names via the kutter DNS.<\/p>\n<p>All systems must use the firewall as DNS, manually configuring the DNS or properly configuring the DHCP Server.<\/p>\n<p>If you use pfsense DHCP go to <strong>Services <\/strong>-&gt; <strong>DHCP<\/strong> Server and configure the DNS section with the IP of the firewall of the LAN (configure as below if it is assumed that the firewall has ip 192.168.1.1 on the LAN).[vc_single_image image=&#8221;18417&#8243; img_size=&#8221;full&#8221; onclick=&#8221;link_image&#8221;]<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">Conclusions<\/h3>\n<p>The ease of use and configuration, make <strong>Kutter<\/strong> a powerful ally to increase corporate security. The implementation methods are sufficiently &#8220;elastic&#8221;, and allow its use in practically every context and with every device.<\/p>\n<p><strong>Kutter<\/strong> is compatible with any device that allows the forwarding of dns requests, and with devices that allow the use of the ddns service.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kutter, content filter and Malware protection tested with pfSense and OPNsense, Cloud Technology, simple and immediate to activate.<\/p>\n","protected":false},"author":11,"featured_media":25656,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[124],"tags":[261,262,263,264],"class_list":["post-18472","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pfsense","tag-filtraggio-en","tag-kutter-en","tag-maleware-en","tag-web-proxy-en"],"_links":{"self":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/18472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/comments?post=18472"}],"version-history":[{"count":7,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/18472\/revisions"}],"predecessor-version":[{"id":23959,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/18472\/revisions\/23959"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/media\/25656"}],"wp:attachment":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/media?parent=18472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/categories?post=18472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/tags?post=18472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}