Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limit web access for DMZ

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance @SteveITS
      last edited by

      @SteveITS
      Hmm ok the unbound views is interesting.
      Does views support wildcard domains like *.windows.com
      That’s the big thing here. The accounting software documentation does have a few wildcard domains to whitelist if behind a proxy.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      S 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @michmoor
        last edited by

        @michmoor I do not know. IIRC Microsoft has a long list too.

        pfBlocker can use ASNs in generated aliases if you can figure out which are Windows Update.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 2
        • S
          SteveITS Galactic Empire @michmoor
          last edited by

          @michmoor The Windows DNS feature I was thinking of is Conditional Forwarders. But I don't think it can be applied to only some PCs, and with a domain you want all the PCs using the Windows DNS to find the domain.

          IMO WSUS is never the option. ;) However I have seen people mention wsusoffline.net. Never used it.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Yup I would probably try to use ASNs there. It does rely on someone keeping them up to date though, which doesn't always happen.

            A lot of companies have public lists of subnets they use and I'm pretty sure MS is one of them. Those are usually accurate. You can add them as a table alias or point pfBlocker at them to do it.

            1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance
              last edited by

              I appreciate @SteveITS and @stephenw10 for the feedback.

              So INTUIT does have their own ASN so i can craft an IP permit around that.
              MSFT is a bit more challenging but the solution is going to have to be to allow the ASN as well. I do prefer control internet access by domain as its more granular. If i use pfBlocker its all or nothing, right? Cant be specific on an interface.

              In the future, the ASN piece will be harder. I notice lots of companies use AWS. If I go ahead and permit Amazon I might as well remove the IP block list then. Unless theres something i can do that im not thinking of.

              @SteveITS What do you have against WSUS? I think sysadmins use SCCM or something these days.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              stephenw10S S 2 Replies Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator @michmoor
                last edited by

                @michmoor said in Limit web access for DMZ:

                If i use pfBlocker its all or nothing, right? Cant be specific on an interface.

                You can use pfBlocker to generate aliases from list urls or ASNs. Then apply them in rules on whichever interfaces you want.

                M 1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @stephenw10
                  last edited by michmoor

                  @stephenw10 said in Limit web access for DMZ:

                  You can use pfBlocker to generate aliases from list urls

                  hmm...how do i generate aliases from list urls? In pfBlocker?!?
                  i dont think ive ever done that.

                  edit: You mean IPv4 Custom_Lists ?

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by stephenw10

                    Yes if you have a hosted list of IPs or subnets you can add that url as a custom list item. Like:

                    Screenshot from 2024-02-12 18-45-15.png

                    M 1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Galactic Empire @michmoor
                      last edited by

                      @michmoor said in Limit web access for DMZ:

                      What do you have against WSUS?

                      Whenever I saw it, a client we acquired had installed Small Business Server which had it by default. Various issues of the top of my head: C: partition from OEM too small for the large database, no one had auto-approved updates (so no updates ever installed), auto-approving categories downloads all updates (ref C: partition), database often gets corrupted if not cleaned, various third-party scripts to clean out/repair the database, etc. In summary most small businesses are way better served by just using Windows Update directly. Or letting us control updates for them as their MSP. :)

                      re: DNS, it's a bit error prone, but give the server its own pfSense router to talk to the Internet? No issue with asymmetric routing if there are no inbound connections...?

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote 👍 helpful posts!

                      1 Reply Last reply Reply Quote 0
                      • M
                        michmoor LAYER 8 Rebel Alliance @stephenw10
                        last edited by

                        @stephenw10
                        Yep that actually may work.
                        Is there any support or way i can include wildcard domains like *.windowsupdate.com ?

                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                        Routing: Juniper, Arista, Cisco
                        Switching: Juniper, Arista, Cisco
                        Wireless: Unifi, Aruba IAP
                        JNCIP,CCNP Enterprise

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          No, that url just points to a hosted list of IPs. pfBlocker pulls that list and creates a table alias from it. Then I can use that in rules.

                          There aren't any domains or fqdns there.

                          You'd need to use something in DNS-BL or in Unbound directly to filter a wildcard domain like that.

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            michmoor LAYER 8 Rebel Alliance @stephenw10
                            last edited by

                            @stephenw10

                            Ahh ok i was actually here in pfblocker. I thought thats what you mean but both solutions work.

                            378e4ef9-e639-4cfe-8668-bf83775b2b27-image.png

                            For that wildcard blocking then @SteveITS suggestion of unbound views might be the ticket.

                            Firewall: NetGate,Palo Alto-VM,Juniper SRX
                            Routing: Juniper, Arista, Cisco
                            Switching: Juniper, Arista, Cisco
                            Wireless: Unifi, Aruba IAP
                            JNCIP,CCNP Enterprise

                            1 Reply Last reply Reply Quote 0
                            • M
                              michmoor LAYER 8 Rebel Alliance
                              last edited by

                              Just want to say I appreciate the replies. There is documentation from the vendor on URLs and IPs to whitelist so that’s a win. IPs and Ports

                              Firewall: NetGate,Palo Alto-VM,Juniper SRX
                              Routing: Juniper, Arista, Cisco
                              Switching: Juniper, Arista, Cisco
                              Wireless: Unifi, Aruba IAP
                              JNCIP,CCNP Enterprise

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.