Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block all traffic except for certain websites.

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 370 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      armagan153
      last edited by

      Hello,

      I am new to pfSense. I have quickly gone through certain steps, and I am now able to apply various rules for IPs and computers. I have two WAN connections that work in redundancy.

      I researched this topic, but no one seems to provide a definitive answer. Some say things like, "Why block traffic?", "What's the benefit?", or "Why bother with this?" However, my goal is just to learn how to use pfSense. I am interested in knowing how to do this without getting into personal opinions.

      My question is: how can I create a rule that blocks all traffic except for a few allowed domains and subdomains? For example, allow only access to Facebook and block everything else. Is there anyone who can guide me through this process? I want to learn how this works. I can also share images of my rules if needed.

      Thank you in advance for your support.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @armagan153
        last edited by

        @armagan153

        Yes, you can block whatever you want.
        But first, you have to know what 'traffic' is and how you can operate on it with a firewall, like pfSense, or any other firewall out there.
        Know filter items are : source and destination IP, source and destination port, protocol used, and some less know items.
        To fully understand what a firewall can use to make decisions to "block or pass", you have to know what a Ethernet packet is. Example : you can use "IP addresses" only, as a firewall operates on the Ethernet packets. On that level, hos names is an unknown concept.
        A web browser uses its device IP to connect to a server IP.

        @armagan153 said in Block all traffic except for certain websites.:

        allow only access to Facebook

        Alow or block only facebook (as an example)

        This question is actually posed very often here on this forum.
        I agree, a bit hard to find
        You have to use the search button - see the top of this page - enter 'facebook.com' and hit search.
        You will find many pages that contain the word (url) 'facebook,com', and you have to read through them one by one. Guaranteed to you find rather quickly something or some one that asked the very same question as you.

        Now, take one step back. I've a question for you to answer.
        What would you do if you worked for facebook ? What would you do so every potential customer can easily access the facebook (whatsapp) etc services every where on the planet ? Wouldn't you do everything in your (xxxxx billion dollar) power to make this happen ?
        I'll repeat your question : you want to block someone like facebook, as an example.
        The fastest solution would be : go work for them for a will as a network engineer, and you'll learn all about their network, and then you will know what to do.

        You can't block facebook by putting facebook.com in an pfSense Alias (the alias gets resolved into all IP addresses every 5 minutes), and use the alias (== all the resolved IP addresses) in a firewall rule.
        You'll discover that these IP address change all the time !! Quiet understandable, as Facebook takes servers down, for maintenance or whatever, and activates other ones constantly.
        Google, Apple, X, Microsoft, etc etc are all doing the same thing.

        I'm not trying to tell you that blocking 'whatever' it isn't possible.
        It is.
        For example, Facebook own (uses) its own AS (go wikipedia that one). With the help of pfBlockerng you can select this AS, and it will download the list with IP networks that it contains, and voila, you'll see : you can't access any facebook services anymore.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.