pfSense Force Safe Search Configuration

Safe search is a feature on firewalls that allows you to filter out search results that might not be appropriate for young ones or in certain environments. Let’s look at pfSense force safe search and how to implement it.

What is pfSense?

pfSense is a great open-source firewall with many features like safe search but also other enterprise features including VPN, IDP, IPS, and plugins to add even more capabilities.

You can do the following with pfSense:

• Firewall rules

• VPN access

• Content filtering,

• Force safesearch, etc

These features and others help to protect your network from attackers or just help to protect end-users from certain types of content or sites.

What is Safe Search?

Safe search is a feature of most search engines that filters out explicit content, like pornography, etc. Content filtering for safe search includes:

• Pornographic images, videos, and websites

• Hate, violence, and other mature content

This is a feature most want for families, schools, and organizations who want to protect users in an age-appropriate way.

How do you enable plugins in pfSense?

Since the safe search feature in pfSense is made possible by a plugin, we will first look at the steps to enable plugins in pfSense in general. Follow these steps below to enable plugins, which will be needed, to enforce Safe Search:

1. Log into your pfSense web interface

2. Click on “System” in the top menu, and then select “Package Manager” from the dropdown menu.

3. Then go to the “Available Packages” tab to browse the list of available plugins.

4. Locate the desired plugin and click the “+” button next to it to install.

Those steps in general will allow you to install any plugin available in pfSense. Now lets see how to install pfBlockerNG in particular as this is the one that will allow us to enforce safe search.

Install pfBlockerNG

pfBlockerNG filters DNS server queries (the phone book of the Internet) and it allows pfSense to block DNS access to specific domains and websites based on certain content and blocklists.

pfBlockerNG also allows turning on enforcing Safe Search. To install pfBlockerNG, follow these steps:

1. Access your pfSense web interface and log in.

2. Navigate to “System” > “Package Manager” > “Available Packages“.

3. Locate “pfBlockerNG-devel” in the list and click the “+” button to install it.

4. Once installed, you will find the pfBlockerNG menu under “Firewall” in the top menu.

Next, you will click the Confirm button to confirm the installation.

The installation begins, proceeds, and finishes.

Running the pfBlockerng devel setup wizard

After you install the pfBlockerNG module and launch it, under Firewall > pfBlockerNG you will run through a setup wizard of sorts.

Configure the inbound and outbound interfaces for pfBlockerNG.

Configure the IP and port the pfBlockerNG module will listen on.

Finally, finish out the installation of pfBlockerNG.

It will download the latest updates to the DNSBL lists. These lists are lists of websites that contain content that you want to block based on the content settings and safe search settings.

Google Safe Search VIP

Google offers a special DNS service called “SafeSearch VIP”. This service forces Safe Search for all Google search queries. To configure Google Safe Search VIP in pfSense, follow these steps:

1. Log into pfSense

2. Click on “Services” > “DNS Forwarder” or “DNS Resolver”.

3. In the “General Settings” tab, go to the “Host Overrides” or “Domain Overrides” section, depending on your setup.

4. Click the “+” button to add a new entry.

5. Enter the following entry:

   • Host: www.google.com

   • Domain: forcesafesearch.google.com

   • IP Address: 216.239.38.120

6. Save the changes and apply the settings.

Repeat the steps for other Google owned domains, such as www.google.co.uk, www.google.ca, etc.

Configure DNS Forwarder or Resolver for Bing and YouTube

To force Safe Search on other search engines (Bing and YouTube), configure DNS Forwarder or Resolver in pfSense. Follow these steps:

1. Log in

2. Go to “Services” > “DNS Forwarder” or “DNS Resolver”

3. In the “General Settings” tab, got to the “Host Overrides” or “Domain Overrides” section

4. Click the “+” button to add a new entry for each search engine you want to force Safe Search on. For example:

   • Host: www.bing.com

   • Domain: strict.bing.com

   • IP Address: 204.79.197.220

   • Host: www.youtube.com

   • Domain: restrict.youtube.com

   • IP Address: 216.239.38.120

   • Save the changes and apply your saved settings

Other plugins

There are other plugins for pfSense to note that admins can benefit from knowing about

1. URL filtering: SquidGuard or DNSBL (DNS Blacklist) within the pfBlockerNG plugin.

2. Content filtering: Squid and SquidGuard

3. VPN filtering: You can create firewall rules to block or restrict VPN access to certain websites or services

4. Application control: Snort or Suricata plugins

Implementing Firewall Rules for filtering content

Aside from configuring Safe Search and utilizing plugins, you can also create firewall rules in pfSense to further enhance content filtering and control web traffic. These rules can block or restrict access to specific IP addresses, ports, or protocols, giving you more granular control over your network’s security. To create firewall rules in pfSense, follow these steps:

1. Access your pfSense web interface and log in.

2. Navigate to “Firewall” > “Rules” in the top menu.

3. Choose the interface (e.g., LAN) where you want to apply the rule.

4. Click the “+” button to add a new rule.

5. Specify the action (pass, block, or reject), protocol, source, destination, and other settings according to your content filtering requirements.

6. Add a description for the rule to help you remember its purpose.

7. Save the changes and apply the settings.

Editing Local Unbound Configuration Files

You may rather edit the local config files for unbound as this would be a great way to do this with configuration management or automation.

One file you can create and edit is /var/unbound/google.conf. In this file you can add custom settings for forcing Safe Search on Google domains. To edit or create the google.conf file, follow these steps:

1. SSH into your pfSense firewall

2. Type the following command to create or open the google.conf file in the vi text editor:

vi /var/unbound/google.conf

1. Press the “i” key to enter insert mode, allowing you to edit the file.

2. Add the following lines

local-zone: "www.google.com" redirect local-data: "www.google.com 30 IN A 216.239.38.120"

Repeat these lines for other Google domains, such as www.google.co.uk, www.google.ca, etc.

1. Once you’ve added the necessary entries, press the “Esc” key to exit insert mode.

2. Type :wq and press “Enter” to save your changes and exit the vi text editor.

3. To apply the changes, restart the Unbound DNS resolver service by running the following command:

service unbound restart

More posts to consider

• pfSense pfBlockerNG vs Pihole Pros and Cons
• pfSense Proxmox Install Process and Configuration
• pfSense VLAN Cannot Access Internet – A Troubleshooting Guide
• Segment your VMware Network with pfSense
• pfSense VLAN to VLAN Routing in VMware ESXi

Wrapping up

pfSense is powerful and has many plugins like the pfBlockerNG plugin that can do content filtering and allows you to force the search results to be the safe search variety. This helps to protect your users on the network and is great for families, schools, and other organizations that definitely want to enforce age-appropriate content.