Block all traffic except for certain websites.
-
Hello,
I am new to pfSense. I have quickly gone through certain steps, and I am now able to apply various rules for IPs and computers. I have two WAN connections that work in redundancy.
I researched this topic, but no one seems to provide a definitive answer. Some say things like, "Why block traffic?", "What's the benefit?", or "Why bother with this?" However, my goal is just to learn how to use pfSense. I am interested in knowing how to do this without getting into personal opinions.
My question is: how can I create a rule that blocks all traffic except for a few allowed domains and subdomains? For example, allow only access to Facebook and block everything else. Is there anyone who can guide me through this process? I want to learn how this works. I can also share images of my rules if needed.
Thank you in advance for your support.
-
Yes, you can block whatever you want.
But first, you have to know what 'traffic' is and how you can operate on it with a firewall, like pfSense, or any other firewall out there.
Know filter items are : source and destination IP, source and destination port, protocol used, and some less know items.
To fully understand what a firewall can use to make decisions to "block or pass", you have to know what a Ethernet packet is. Example : you can use "IP addresses" only, as a firewall operates on the Ethernet packets. On that level, hos names is an unknown concept.
A web browser uses its device IP to connect to a server IP.@armagan153 said in Block all traffic except for certain websites.:
allow only access to Facebook
Alow or block only facebook (as an example)
This question is actually posed very often here on this forum.
I agree, a bit hard to find
You have to use the search button - see the top of this page - enter 'facebook.com' and hit search.
You will find many pages that contain the word (url) 'facebook,com', and you have to read through them one by one. Guaranteed to you find rather quickly something or some one that asked the very same question as you.Now, take one step back. I've a question for you to answer.
What would you do if you worked for facebook ? What would you do so every potential customer can easily access the facebook (whatsapp) etc services every where on the planet ? Wouldn't you do everything in your (xxxxx billion dollar) power to make this happen ?
I'll repeat your question : you want to block someone like facebook, as an example.
The fastest solution would be : go work for them for a will as a network engineer, and you'll learn all about their network, and then you will know what to do.You can't block facebook by putting facebook.com in an pfSense Alias (the alias gets resolved into all IP addresses every 5 minutes), and use the alias (== all the resolved IP addresses) in a firewall rule.
You'll discover that these IP address change all the time !! Quiet understandable, as Facebook takes servers down, for maintenance or whatever, and activates other ones constantly.
Google, Apple, X, Microsoft, etc etc are all doing the same thing.I'm not trying to tell you that blocking 'whatever' it isn't possible.
It is.
For example, Facebook own (uses) its own AS (go wikipedia that one). With the help of pfBlockerng you can select this AS, and it will download the list with IP networks that it contains, and voila, you'll see : you can't access any facebook services anymore.
