pfblockerng pornhub block results
-
I'm setting up a firewall ( Netgate 2100) for a church, so I decided to configure pfblockerng to block porn. I went to DNSBL/DNSBL Groups and added a list there, referencing the StevenBlack porn list, see attached. Everything is working, eg pornhub.com is blocked, but....
Going to the website gives a vague error from the browser about the cert, and the cert is a self-assigned cert coming from pfblockerng/pfsense. DNS resolves pornhub.com to 10.10.10.1 ie the DNSBL virtual IP.
What I would like is an actual webpage saying "site blocked by administrator", something like the file /usr/local/www/pfblockerng/www/dnsbl_active.php or a webpage "stop watching porn you perv!". How to do this?!
Netgate 1100 and Netgate 2100, latest pfsense+ version
-
@beerguzzle to get the clients to accept a cert for www.pornhub.com you’d need to install a trusted CA cert on each device and then create a cert for that name. IOW it’s not really feasible. An alt option would be to not show a block page and let it fail to connect.
Also, you’ll probably want to block DoH/DoT on the DNSBL SafeSearch page, and connections to public DNS.
-
@beerguzzle said in pfblockerng pornhub block results:
What I would like is an actual webpage saying "site blocked by administrator", something like the file /usr/local/www/pfblockerng/www/dnsbl_active.php or a webpage "stop watching porn you perv!". How to do this?!
As @SteveITS already mentioned : in short, you can't.
When a browser wants to visit https:///www.abc.com and it gets an answer back from a site that says, with it's certificate (remember : https = TLS) : I am (https://)www.123.com then the browser starts to shows the message you've just shown.
If you go to a site https called : https ://www.your-bank.com what would happen if your browser showed you this site : https://www/not-your-back.com (and you were not paying attention the the URL, entered your credentials ... and now some unknown guy has your login.
So, we agree, you don't want to break TLS (https), and you don't want others to be able to do the same thing. Turn the phrase around : if you can do it, they can do it.
If "they" can do it, then your issue is solved, as the entire Internet will fall in the hour or so.The "dnsbl_active.php" page is nice, but only works well when web servers were using "http", not https. These were the good old days and are over now.
This page shows the visitor : " now the admin of the network you connected to also knows what site you tried to visit ". Don't bother anymore. Just DNSBL it, and use these settings :
Consider the pfBlockerng web 'blocked page' page showing the user a blocked page as a gadget that worked well in the past, but that's over now.
You'll still know who did what, as the DNSBL reports logs are there. -
Ok, thanks for a well written explanation. I don't expect to get complaints about "your network is wonky" on this topic.
