Allow only some websites through pfBlockerng

abanet · Nov 20, 2023, 8:42 AM

Hi! I need some help with pfsense and pfBlockerng.

I'm trying configure pfsense + pfBlockerng. I use feeds and categories, but I need permit some IP's from my LAN access to some websites. For example:

I have my LAN with static ip 192.168.8.0 and I need to allow access Facebook from device with static IP 192.168.8.80. How can I do this?

At this moment I can bypass pfblocker and permit all device from this LAN access to internet, but I need do it only for some websites.

Thanks a lot!

greenlight · Nov 20, 2023, 10:02 AM

@abanet Create a group for these devices. Then, write a pass rule that includes this group in the rules section and move it above the pfblockerng rules.

abanet · Nov 20, 2023, 10:11 AM

@greenlight Thanks for your answer. I use floating rules, where must I create the rule? floating rules or lan rules?

greenlight · Nov 20, 2023, 11:07 AM

@abanet Can you share a screenshot of your lan rules? I guess you created rules on the LAN side to prevent access and you need to add the new rule on top of these rules.

abanet · Nov 20, 2023, 11:11 AM

@greenlight It's a clean installation. I have defaults rules

greenlight · Nov 20, 2023, 1:34 PM

https://forum.netgate.com/topic/150084/is-pfblockerng-able-to-block-all-outbound-traffic-except-whitelistet-sites/17

You can follow the steps in this link without pfblockerng.

I also prepared a visual for you. I tried it myself and it works this way. You must only specify a static IP address for the device you will use. After then

Create an aliases for websites with permissions

Create aliases for devices that you allow and whose IP addresses you fix. The marked IP address belongs to my device. You'll probably type 192.168.8.80 there.

You will create a rule to block internet access for all devices.

By selecting the aliases you created here, you will define the devices and the addresses they will connect to.

Your rules should look like this.

Finally, reload the filters. You can make additions or deletions for both aliases groups. Doing this on the Aliases side will be enough.

The main way pfblockerng works is to block external connections to pfsense. Of course, connections can be blocked in both directions. Very useful for interface based restrictions. But the rules are more favorable for restrictions within the subnet.

abanet · Nov 21, 2023, 10:57 AM

@greenlight I will try this way and tell you something

Thanks a lot for your help!

abanet · Nov 24, 2023, 7:21 AM

@greenlight said in Allow only some websites through pfBlockerng:

https://forum.netgate.com/topic/150084/is-pfblockerng-able-to-block-all-outbound-traffic-except-whitelistet-sites/17

You can follow the steps in this link without pfblockerng.

I also prepared a visual for you. I tried it myself and it works this way. You must only specify a static IP address for the device you will use. After then

Create an aliases for websites with permissions

Create aliases for devices that you allow and whose IP addresses you fix. The marked IP address belongs to my device. You'll probably type 192.168.8.80 there.

You will create a rule to block internet access for all devices.

By selecting the aliases you created here, you will define the devices and the addresses they will connect to.

Your rules should look like this.

Finally, reload the filters. You can make additions or deletions for both aliases groups. Doing this on the Aliases side will be enough.

The main way pfblockerng works is to block external connections to pfsense. Of course, connections can be blocked in both directions. Very useful for interface based restrictions. But the rules are more favorable for restrictions within the subnet.

Hi again! I tried this solution but still is blocked. I see traffic on rule but still can't connect. Any suggestion?

greenlight · Nov 24, 2023, 7:57 AM

@abanet hello, the pass rule should be in the first line. Did you notice this?

abanet · Nov 24, 2023, 8:06 AM

@greenlight Hi! Yes. I put on top but didn't works. I tried create same rule in "floating rules" but still can access to web sites in "Adresses" alias

greenlight · Nov 24, 2023, 8:12 AM

@abanet You must use LAN rules. Why are you trying Floating rules? I also tried this on my own system before creating the screenshots and it worked. A step you missed or something you previously configured might be preventing this from working.

abanet · Nov 24, 2023, 8:33 AM

@greenlight Floating rules are enabling by pfBlocker. I tried disable this option in pfBlocker and put your rule on top but didn't work

greenlight · Nov 24, 2023, 9:10 AM

@abanet Disable pfblockerng and disable all its rules (including LAN and Floating).

Just follow the rules I have shown on the LAN side.

abanet · Nov 24, 2023, 9:16 AM

@greenlight In that way works. But I need use pfBlockerng

greenlight · Nov 24, 2023, 9:21 AM

@abanet what is your pfsense version?

Gertjan · Nov 24, 2023, 9:29 AM

@greenlight

Easy.
2.7.1 (or 23.09).

Those who use 2.7.0 or earlier and install pfBlockerng 'now' brake the rules : Never install packages before pfSense is on the latest version.

The latest pfBlockerng is compiled against "OpenSSL 3.0", something pfSense 2.7.0 hasn't. It will fail right away.
There is another thread, yesterday or so, that illustrates this situation.

abanet · Nov 24, 2023, 9:39 AM

@Gertjan said in Allow only some websites through pfBlockerng:

2.7.1 (or 23.09).

Those who use 2.7.0 or earlier and install pfBlockerng 'now' brake the rules : Never install packages before pfSense is on the latest version.

Hi! I did a fresh installation yestarday, pfSense 2.7.1 and last pfBlockerng but still doesn't work