Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block specific webpage and not a all website

    pfSense Packages
    3
    7
    203
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KelvinU
      last edited by

      Hi,

      I'm using pfBlockerNG as web filter, to block access to websites I use [ DNSBL > TLD Blacklist/Whitelist ] it works great but I was wondering, could it be possible to block a specific page or URL?

      In other words I would like to be able to visit www.site.com but not www.site.com/this/

      It doesn't have to be with pfBlockerNG perse, could be another pfSense service.

      Thx

      GertjanG keyserK 2 Replies Last reply Reply Quote 0
      • GertjanG
        Gertjan @KelvinU
        last edited by

        @KelvinU said in How to block specific webpage and not a all website:

        www.site.com/this/

        I hope you browser shows this :

        1e19b51a-bbcc-4c9e-bf9a-e5ac7d8ee281-image.png

        and if so, never asked why the "www" and everything after the first / is grey ?
        Its showing this behavior for every web site you visit, and because the whole planet is looking at it, it must be important. And it is.
        Knowing why will answer your question right away.

        The "site.com" part is the domain name.
        This "this.com" part has to be resolved to an IP first, because, your browser doesn't know what domains are. It can't do anything with it. Let's say Internet itself doesn't know what domains are. Internet is all about IP addresses.
        So, when you ask you browser to load the page www.site.com/this/ it start to look up the "site.com" part as it needs the IP.
        This process is called DNS resolving.
        Be ware that "site.com" resolves to an IP, and www.site.com might resolve to another IP.
        Anyway, the IP is known now, so your browser can now connect to it.

        You've seen the pad lock in front of the "www.site.com.this" ? This means the protocol https is used ( which implies it uses port 443, TCP etc but that isn't important right now ). What important it, your browser connects to this server using TLS. And from now on, everything is encrypted using TLS.
        This TLS stream can only be decoded on the server side. And here it comes (and I bet you already knew this) only the server can do this. Not the CIA, not your neighbor, not your router pfSEnse, not the ISP equipment, no one. No exceptions.
        In this encrypted data stream, the browser will ask for a specific file on the server : "/this/".
        The thing is, only your browser (and you) and the web server can see the request if this file.

        @KelvinU said in How to block specific webpage and not a all website:

        It doesn't have to be with pfBlockerNG perse, could be another pfSense service.

        Now you know enough so you understand the question - and the answer. Here it is :
        No one. Not pfSense. Nobody. Not on planet earth.
        The TLS stream goes through your pfSense, and many other devices on the internet. It's protected.

        But there is a solution, and it somewhat works. You have to set up and maintain a so called proxy.
        Very few are willing and able to do this, as it is hard, as take weeks, month, years to learn how to handle it.
        See it like this : you just learned how to 'pilot' a bicycle' (pfSense). Great. Now you look up, and ask yourself : can I fly ? Ok, know you need to learn to pilot a plane. You get the scale of the complexity ? 😊

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        K 1 Reply Last reply Reply Quote 0
        • keyserK
          keyser Rebel Alliance @KelvinU
          last edited by

          @KelvinU said in How to block specific webpage and not a all website:

          Hi,

          I'm using pfBlockerNG as web filter, to block access to websites I use [ DNSBL > TLD Blacklist/Whitelist ] it works great but I was wondering, could it be possible to block a specific page or URL?

          In other words I would like to be able to visit www.site.com but not www.site.com/this/

          It doesn't have to be with pfBlockerNG perse, could be another pfSense service.

          Thx

          theroretically yes, but not with pfBlockerNG or a basic pfSense Install. To do that you would need an inline Webproxy (like fx. Squid which exists as a pfSense package). BUT: That is no easy feat as everything has moved to HTTPS, and to intercept and filter that, you need to publish certificates to all your clients and force them to use your “Man In The Middle” proxy to gain web access. After succeding in setting that up, you afterwards have to spend countless hours doing tweaking as lots of sites does not work as intended when using a MITM setup.

          So what you are asking requires quite a lot of work

          Love the no fuss of using the official appliances :-)

          1 Reply Last reply Reply Quote 0
          • K
            KelvinU @Gertjan
            last edited by

            @Gertjan sounds NL, right?

            Thank you for your detailed explanation, though it came somewhat pretentious, right?! What makes you assume I'm a newbie? As we both know, we're discussing digital systems here, and I've learned that we should never say, "No one. Not pfSense. Nobody. Not on planet Earth." There's always a way around it, and that's precisely why I've asked here. As you mentioned, "a called proxy" could be a solution.

            As you can read in my question I'm looking to do it, if possible, within pfSense but I'm sure AdGuard, PiHole or other system could help with it, right?!

            Thank you anyway for you precious time professor GertJan.

            keyserK GertjanG 2 Replies Last reply Reply Quote 0
            • keyserK
              keyser Rebel Alliance @KelvinU
              last edited by

              @KelvinU The firewall/server based solution is a Man In The Middle Proxy, so PiHole, Adguard (DNS filter) will not suffice as they do the same thing as pfBlockerNG.
              If you have all the client Browsers under central management, you could also just block the URL from being used in the Browser.

              On another note: I think Gertjan is french, and I’m QUITE positive he’s not being pretentious. While his explanations can be considered as such if you already know all this, this Forum really benefits from his knowledge and detailed explanations. Please remember lots of other users may read this thread before asking the same question, and his explanation helps less experienced users understand the problem without all the shop lingo.

              Love the no fuss of using the official appliances :-)

              K 1 Reply Last reply Reply Quote 0
              • K
                KelvinU @keyser
                last edited by

                @keyser

                Bedankt, the NL reference it's because I'm NL myself and I know a ton of GertJan but nevermind..

                1 Reply Last reply Reply Quote 1
                • GertjanG
                  Gertjan @KelvinU
                  last edited by Gertjan

                  @KelvinU said in How to block specific webpage and not a all website:

                  sounds NL, right?

                  Born over there, exact.
                  Living in France for the last 3 decades.

                  @KelvinU said in How to block specific webpage and not a all website:

                  though it came somewhat pretentious, right?! What makes you assume I'm a newbie?

                  Lol, you first : what makes you presume that I assume you are a newbie ?
                  But I get your point ^^
                  It's true, I am and I was pushing a bit.
                  My point of view :

                  About the proxy solution : me talking about planes was just an very accessible way to make you understand what the (imho) real question is.
                  A lot of people fly planes. It's feasible. It just needs a lot of work.
                  It's just that you were asking about why "/this/" isn't accessible to pfSense and/or anything else other then your browser and the web server on the other side. So I kicked of my way of saying : go have a look.
                  I good have finished the question with one question back : do you know what https is ? (I sometimes do - as this is not a ).
                  And I'm hoping I waked up your curiosity, that you dive into it, and then come back here and tell us how you did it. Because I'm still waiting as I never had the patience and/or time to use a proxy set up myself. Also, I don't have the age neither the young kids at home that motivates me being able to see my own traffic, let alone traffic off other people. That makes me feel very uncomfortable.

                  @KelvinU said in How to block specific webpage and not a all website:

                  and I've learned that we should never say, "No one. Not pfSense. Nobody. Not on planet Earth."

                  and I fully agree with you.
                  And we also enter into the "computer politics" now. So no more black and white, all becomes suddenly 'gray'. And it always was.
                  If TLS (real time) decoding was possible, while the private key is unknown, this would mean "some one" could listen into your TLS connections at any time.
                  I get it, it's the role of every big (governmental ?!) organization to let us know, the big public, that it's a scandal according to them, that they can't do their job right (protecting all of us, the big public), that they can't access your phone's traffic, can't see what you are saying (writing) to some one else. as national security is at stake here. So they say, your traffic is hidden and that's a problem for them - and this for us.
                  edit : still looking for the country where the usage of TLS or comparable is forbidden by law ^^
                  And at the same time, somewhere hidden, down deep, in zone 51, they have this quantum computer that can tap into everything all ready using, probably, a back door key ? Maybe. And they won't say any one of course that they actually can I get that (except for tiktok of course). Let's give the public the impression they are safe, so the will "speak" freely, not knowing that some one listens in after all. If that capability was known, then Internet as a communication method would fall .... world economy would fall.

                  But real time brut-forcing their way in ? Well ... do the math yourself ^^

                  Keep in mind : most of what I said above is "afaik" and "imho".

                  @KelvinU said in How to block specific webpage and not a all website:

                  I know a ton of GertJan

                  Oula ... why even bother posting here - come and see me !?
                  As I've questions also, and not only pfSense.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.