The game needs a blocklist.

FrostElara

How can we block employees from playing games like Zula, PUBG, and Valorant during work hours, and do these games offer any built-in block or restriction features?

JonathanLee

DoH causes lots of issues. Squid is still useable and you can lock down by https get requests and forget about the dns stuff. It’s a step before dns resolves. Also it has times for ACLs to be set so working hours could block the requests etc. That package still works has some small bugs in the new pfSense version I think they are working on it. I know it’s not a security issue anymore as it was fully updated upstream to fix all the concerns, again the package needs to be fine tuned to address the changes.

michmoor

@FrostElara endpoint content filtering. There are many tools out there (Zorus, Umbrella, DNSfilter)
Pfsense can not do any content filtering and Squid is not at all recommended for this solution.

JonathanLee

Squid could do it, all he would need is the http get request and have a block or that url request. Done. Again I agree Squids not some plug and play package you have to be a level 100 wizard to use it.

What about Snort? It can do AppID detect but you need to create a detect file for it. I use snort to do blocks by content.

If you can run inline mode this might work…

Check this out.. but the database would need the game in it
https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes

smolka_J

@FrostElara As long as you're enforcing pfSense as your local DNS with NAT and have DoH/DoT/DoQ blocked/reject on LAN side, you can use OpenDNS/Cisco Umbrella for your upstream DNS/TLS, they have a game filter category and many other related time-waster categories that can help improve productivity. UT1 has a game category also in the built-in DNSBL Category lists but its a little bit more region based to a degree tailored around where its being maintained, Cisco/OpenDNS usually covers a wider spectrum being developed moreso worldwide

michmoor

@JonathanLee
Ultimately what the OP and many others are asking for is content filtering categorization.
Folks want to click a box that says 'games' and all game sites and services are blocked.
In 2024, Squid cant do this. UT1 is not to be used in any commercial sense so that leaves paid options which are typically very good at filtering because that's what you are paying for.
I would take Cisco Umbrella Free over a Squid implementation. That takes out the certificate management and broken websites and use purely domain based control which is optimal.

JonathanLee

@michmoor Alot of people do not want to put that amount of effort into creating customized lists like I have, it takes a while. But it does work. Again your right they want that plug and play radio button option.

smolka_J

@michmoor Granted UT1 Blacklist is not to be sold as a commercial product itself to gain a profit from, under its "Creative Commons Contract" it is allowed to be shared and used for any purpose, even for commercial applications and use scenarios. The one restriction users of UT1 will notice just like the restrictions Shallalist imposed for "free" users is the update frequency allowed, if you set it to daily updates like most companies usually will desire and configure for all feeds/updates, your IP will get blacklisted temporarily to prevent abusers from updating too often, Shallalist used to state that any IP found to be updating any more often than once per month will automatically get flagged to be blacklisted temporarily until the next allowed cycle. I shoot for more of a trifecta effect for "parental restrictions" using all three collaborations of category filters: OpenDNS/Cisco-Umbrella for upstream DNS, UT1's blacklist for what it offers to add, and use the last known Shallalist.tar.gz I saved from WayBackMachine web archives uploaded to pfSense as a static file after I modified it to about 85Mb adding to existing categories and added additional categories to for private use.
Shallalist is the one that is limited as far as "commercial" use is concerned as the maintainer can no longer be contacted presently for reseller licenses and fees or to be able to register for company/government/school use by requesting their "usage contract" to sign

smolka_J

@FrostElara In addition to the category filters available, it may help adding a few lines of Regex for domain name filtering of specific keywords like:

((^)|(.))game.
((^)|(.))casino.
((^)|(.))play.
((^)|(.))pubg.
((^)|(.))steam.
((^)|(.))youtu.
((^)|(.))ytimg.
((^)|(.))ytstatic.
((^)|(.))googlevideo.
((^)|(.))proxy.
((^)|(.))vpn.
((^)|(.))doh.

Also, since most employees whom already like to waste company time/break company rules will try to continue to do so then by attempting to bypass your company firewall, it may be worth also to enable all category and feed lists for proxies, VPNs, DoH, URL shorteners, and redirectors to seal off all common-known back-doors that rule-breakers will attempt and maybe OISDs NSFW list too for other time-wasters. Hagezi has good lists too for DoH and proxies.

JonathanLee

@smolka_J I did the same thing a while back, saved the shallalist. I really think they had great blacklists.

enesas

@FrostElara Activate the TLD in pfblockerng and add it to the blocklist. pubgmobile.com I solved it by adding the address. Of course, it works by blocking external DNSs.