Can't get pfBlockerNG to block pornhub.com

johnpoz

@lpd7 said in Can't get pfBlockerNG to block pornhub.com:

web sites whose URLs are encrypted (DoT, DoH).

Just to correct a misnomer here - the website is not encrypted via dot or doh, your browser is bypassing your dns and looking up the IP of the website via dns through the dot or doh server.

You can still setup an host alias for pornhub.com so that pfsense looks up that fqdn and blocks the IP it finds. This should be the same no matter where its looked up from. While pfblocker can do that, its also just a simple native host alias in pfsense.

LPD7

@johnpoz The browsers are using the PFBox for DNS resolution, I have already confirmed that using nslookup within the PF command line. Why is this topic so confusing to get a straight answer to and why do there seem to be so many supposed ways to accomplish this? Seems to me this is something that is core to the system and not something that should be so obscure to accomplish.

JonathanLee

@lpd7 if you are using VLANs you would need to add each of those subnets into the access control list on the Squid Proxy as well as create Access control Lists on the firewall for them. That would be the only difference as they are still going into the firewall. I am not running VLANs as it's just used in my home.

johnpoz

@lpd7 not sure where you going with that statement - its not even your thread. And to be honest I haven't paid to much attention to this whole thread because I agree with you - not being able to get pfblocker to block a domain is clear user error that is for sure.

My point was urls are not encrypted via dot or doh - that is encryption for a dns lookup not the site, etc

If your browser is using dot or doh - you can not block anything via dns, which would be what pfblocker normally does, etc.. Sure it could block via an IP in a rule, just like you can do with an alias.. But if your just telling the browser via a dns look up that some fqdn is 127.0.0.1 or 10.10.10.10 a browser via doh is going to circumvent that.

LPD7

@jonathanlee Thank you for that info it makes things a bit clearer and probably simpler to implement. My new case was just delivered so I am going to put together a second box from which to work on this and hopefully with the help from kind souls such as yourself I can get it running as needed. Thanks again and Happy 4th weekend.

LPD7

@johnpoz Didnt realize that I had to own a thread to ask a question to which the thread was related. Maybe I didnt articulate the issue clearly. If a URL is using HTTPS it seems that the system is unable to see the URL because its encrypted and that additional steps are required to get it to see and filter based on a block list. That is a summary of what I have put together based on all of the feedback from various sources, all I am trying to do now is sift through everything and find the correct way to achieve the goal.

JonathanLee

@lpd7 you can block https urls. Remember all browsers use what are called get requests, proxies use the get requests only to understand when you say that's a block. The data on https when a connection is made that's encrypted and comes after the get request is approved.

johnpoz

@lpd7 you can ask a question sure - but quite often users jump into a thread when their problem isn't the same.

Doh in a browser circumvents your local dns - nslookup might show that the system is using your local dns (pfsense).. But the browser isn't if its using doh.

If your device ask for something.domain.tld and you return 127.0.0.1 or 10.10.10.10 is isn't going to get to http or https://something.domain.tld

But if using doh and it gets the public IP 1.2.3.4 for example - unless you block that actual IP, then sure the browser can get there.

Rainbowergy

Make sure you have the latest version of pfBlockerNG installed. It's always good to stay up to date. Now, regarding the issue with blocking pornhub.com, it might be worth double-checking your category settings in Shallalist and UT1 Summary. Ensure that the appropriate categories related to adult content and porn are selected.

Sergei_Shablovsky

Let’s put my 5c to this: small child from 7(?)yo able to install some app called “free VPN” and Your pfSense are out of game with this: until You not blocking ALL possible VPN protocols - access to PH are open to it…

After You find abilities to blocking ALL possible VPN protocols, the NewNode protocol are from 1 tap away on child’s smartphone.
And am not sure You have a sufficient skills to block NewNode… (sorry bro!)

JonathanLee

@Sergei_Shablovsky I use proxy based blocking with certificates, the firewall can be set to inspect VPN tunnels also in advanced settings in pfSense or Snort. VPNs are not invincible by any means. Again proxy or dns blocking is not invincible also. Just depends on the amount of time it takes to get around the firewall. I think with the proxy it makes it take longer to get around it. You can make it block the ports that the VPN are using also, the free ones will always use the same ports, control access to that port…

Sergei_Shablovsky

@JonathanLee said in Can't get pfBlockerNG to block pornhub.com:

@Sergei_Shablovsky I use proxy based blocking with certificates, the firewall can be set to inspect VPN tunnels also in advanced settings in pfSense or Snort. VPNs are not invincible by any means. Again proxy or dns blocking is not invincible also. Just depends on the amount of time it takes to get around the firewall. I think with the proxy it makes it take longer to get around it. You can make it block the ports that the VPN are using also, the free ones will always use the same ports, control access to that port…

I thinking that would be interesting for You to read https://github.com/clostra/newnode/blob/master/docs/newnode-spec.md

Just try on test iPhone/Android: connect to Your customers lan, install NewNode app, start pcap on an certain interface, and then try to connect to PH.
If pfSense able to block access, - You are win, I’m loose. If not - analyse the dump by WireShark and create additional FW rules…

NewNode VPN
https://apps.apple.com/us/app/newnode-vpn/id1473074621

NewNode
https://apps.apple.com/us/app/newnode/id1603136752

JonathanLee

@Sergei_Shablovsky said in Can't get pfBlockerNG to block pornhub.com:

https://github.com/clostra/newnode/blob/master/docs/newnode-spec.md

Thanks for the info, I will have to get a sandbox going to test this, I am doing classes again so I might not have time anytime soon.

JonathanLee

@Sergei_Shablovsky

Hello again, I got some time, I am spinning up a VM to test it.

My CAL 2 class HW done, and checked, and POLS quiz done.

Just waiting for my one approved VM copy to download per my original Apple software license. I get one VM of the software to use onto of the host software.

That software package says it stops host services so I want it in a sandbox/vm to test.

3-4 hrs for my vm to fully spin up I estimate. I am betting on AppID to spot it.

JonathanLee

@Sergei_Shablovsky I have attempted 2 different installs over Virtualbox Version 7.0.8_BETA4 r156879 (Qt6.3.0) on M1 processor, all crash with the development version. I am going to create an ISO and move it to my Windows 11 system and install the VM there I should be able to test this sometime tomorrow. Sorry I even tried Unbuntu with M1 virtualbox. It acts like the iMac has something using the virtualization hardware.

JonathanLee

@Sergei_Shablovsky All right I got my VM system spun up. I am going to test this now it is set up with proxy use and blocking is good inside VM

I just have to install the VPN to test it now

Dang they even blocked me from using apple store in the vm

I am going to have to find another way to download it... The virtual machine I want to test this on has download limitations.

Again my proxy works now so I am only one download away from using the VM for its cybersecurity test after I can delete it.

I can not test this on the native os because it has a script that disables all services on the machine if you look at the GitHub. So it has to be in a sandbox environment, however my sandbox does not allow any App Store use. So I need the .dmg file somehow...

So how can I get the APP inside the VM if I can't get to the App Store?

I am working on side loading it now

JonathanLee

@Sergei_Shablovsky I am going to git hub clone it

My concern is the apple store version could be different.

JonathanLee

@Sergei_Shablovsky Sorry but....

Netgate WON with the correct ACLs access rules. My firewall already has Newnode's VPN port blocked..

VPN connection is dead on first test Netgate stomped it out.

I got it installed and it started however will not connect because the firewall blocks access to ports it wants. It's not approved with proper Access Control Lists NewNode is not an issue, however this is dependent on someone that can configure a ACL list correctly, many home users do the default so this would work with default settings.

For now it is blocked on my VM test. I am going to spin down and delete this VM

This is a scary VPN it disables the native firewall on osX also...

Sergei_Shablovsky

@JonathanLee said in Can't get pfBlockerNG to block pornhub.com:

@Sergei_Shablovsky I am going to git hub clone it

My concern is the apple store version could be different.

I know from developer’s side, that GutHub and iOS/macOS versions are a little bit different.

But not too much.

Sergei_Shablovsky

@JonathanLee said in Can't get pfBlockerNG to block pornhub.com:

@Sergei_Shablovsky Sorry but....

Netgate WON with the correct ACLs access rules. My firewall already has Newnode's VPN port blocked..

VPN connection is dead on first test Netgate stomped it out.

I got it installed and it started however will not connect because the firewall blocks access to ports it wants. It's not approved with proper Access Control Lists NewNode is not an issue, however this is dependent on someone that can configure a ACL list correctly, many home users do the default so this would work with default settings.

Is it possible for You to test both NewNode and NewNode VPN on Your iPhone?