Block redirect

tbr281

Hi there, I’m fairly new to pfsense. I set some firewall aliases and rules that work great. My question is if there is a way to redirect to another address or ip when blocked? For example, I got a rule that blocks dirty websites.. but instead of keep trying to connect until it times out.. I’d want it to redirect to DuckDuckGo.

rcoleman-netgate

@tbr281 said in Block redirect:

Hi there, I’m fairly new to pfsense. I set some firewall aliases and rules that work great. My question is if there is a way to redirect to another address or ip when blocked? For example, I got a rule that blocks dirty websites.. but instead of keep trying to connect until it times out.. I’d want it to redirect to DuckDuckGo

Not exactly... You could have those "dirty websites" get a DNS record to a webserver internal to your network that has a redirect to DDG. But that wouldn't stop people from using outside DNS servers... so you'd want a combination of maybe pfBlockerNG and blocking third-party DNS (as well as DoH) but YMMV.

viragomann

@tbr281 said in Block redirect:

For example, I got a rule that blocks dirty websites.. but instead of keep trying to connect until it times out..

Create reject-rules instead of blocks. This avoids the browser from keep trying to connect until the time out is reached.

tbr281

@rcoleman-netgate I do have pfblocker running but some stuff are still getting through…

tbr281

@viragomann said in Block redirect:

@tbr281 said in Block redirect:

For example, I got a rule that blocks dirty websites.. but instead of keep trying to connect until it times out..

Create reject-rules instead of blocks. This avoids the browser from keep trying to connect until the time out is reached.

Thanks! That fixed that issue. Just wish it would redirect it. I appreciate the heads up though.

Gertjan

@tbr281 said in Block redirect:

Just wish it would redirect it.

Even "dirty websites" use TLS these days. Easy to recognize, their URL starts with https://

Without drastic measure on your LAN, that is, all your web visiting devices and pfSense, you can't redirect https://"dirty websites" to https://DuckDuckGo
Your browser won't allow this.
The test : is the host name "dirty websites" present in the certificate obtained ? will fail.
Have a look :

That's doesn't look like "dirty websites" : your browser will refuse the connection.

If it was possible, you would also be able to redirect https://some-bank-acess-you-use to https://some-bank-access-you-use, and because you control some-bank-access-you-use (and your site looks identical to some-bank-acess-you-use), now you get the access credentials.
And five minutes later you can access https://some-bank-acess-you-use with the credentials you've obtained, and do what you want.
The thing is, why would you ask if something if possible if you don't want it to be possible ?
After all, https://"dirty websites", or https://facebook.com or https://some-bank-acess-you-use or https://some-bank-acess-you-use, for your PC, switch, pfsense, upstream routers of your ISP etc, its all the same : a connection to some server over port 443, TCP.