Block All WEB SITES Except https://web.whatsapp.com

am.steen · Feb 20, 2025, 9:15 AM

I am new to pfsense So my question may be simple.
I installed pfSense Community Edition on server and it works good
But my boss asked me to change settings to block All WEB SITES Except https://web.whatsapp.com.
I googled and find these videos:
https://www.youtube.com/watch?v=yScnDnrNkhM
https://www.youtube.com/watch?v=_4zlUUase4s
I try both but they block all traffic including web.whatsapp.com

login-to-view
login-to-view

Please help

Gertjan · Feb 20, 2025, 9:15 AM

@am-steen
Look at what Aliases tells you.

The very first Note is very important (should be marked with orange even red).

login-to-view

And guess what, whatsapp.com is ..... yo knew it, facebook.
facebook has zillions of IP addresses. Not just 'one'. And they change constantly.
So you can get an IP from the host name, and use that.
Even if the alias's host name to IP function would return every IP (CNAME, whatever) it would be already invalid moments later.
Why , Let's say : if you worked for facebook, wouldn't you be looking for a way so no one can block you, or even determine what access is needed to contact them ? You would do everything so your clients (who bring in the trillions of revenue) can reach your sites / services.

Even blocking everybody (the whole Internet) but passing the ASN (they have own) will do what you want, but other facebook services like their web site, Messenger etc will also be available.

Blocking, or passing the big players is .... hard.

I guess there are lists available out there that list every facebook IP/network. Their usage is shuffled around constantly.

@am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

But my boss asked me to change settings to block All WEB SITES Except https://web.whatsapp.com.

He's was probably joking ... see with what you come up, with.
If he wasn't : really ? What is the goal ? Why ?
When your network users are limited like that, they will do what I and surely do : they stop using it right away.

JonathanLee · Feb 20, 2025, 2:14 PM

Squid could do it with the get requests doesn’t need to look at IP addresses it doesn’t care

mcury · Feb 21, 2025, 2:28 PM

@JonathanLee said in Block All WEB SITES Except https://web.whatsapp.com:

Squid could do it with the get requests doesn’t need to look at IP addresses it doesn’t care

What about the redirections ?

You would need to know all of them, and keep updating them because they keep changing all the time.

I would need to do some testing, but there is a possibility as follows:

Create an alias using pfBlockerNG with the following AS:
AS32934, AS132676, AS32934

Create a firewall rule that allows 80/443/5222 TCP to the alias created above.
Create a second rule blocking everything else from this host to the Internet (assuming DNS to pfSense is already permitted).

Use Unbound to redirect everything else in this AS, such as facebook.com and Instagram.com to 0.0.0.0, remember to use access-control-view.

Example to block these sites for 192.168.1.69 IP address.

server:
access-control-view: 192.168.1.69/32 blocksites

view:
name: "blocksites"
local-zone: "facebook.com" static
local-zone: "instagram.com" static

Then test it.. It will probably work, but external redirections could still be a problem.
As I said it, it needs testing.

stephenw10 · Feb 20, 2025, 3:28 PM

Yes I would try to do this using AS numbers. It's most likely to actually work IMO.

am.steen · Feb 20, 2025, 3:30 PM

@Gertjan
First of all thanks for your response

In fact this sever lies at area that lake of internet connection so we use limited expensive bandwidth 4G connection for tis site, we have to limit usage for WhatsApp messages only.

as I say new to pfsense, my problem is different you say it is difficult to block web.whatsapp.com while I block all traffic and need to allow web.whatsapp.com
only, not to block it.

note: I do not know how to open logs

Any suggestions ??

mcury · Feb 21, 2025, 2:47 PM

@am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

Any suggestions ??

Info:

Text Message (Regardless of the length) 10 KB (Per Text)
++++++++++++++
I downloaded a 16 seconds audio message and checked it size:
16 seconds audio message:
size: 36,4 KB (37.297 bytes)
size in disk: 40,0 KB (40.960 bytes)
++++++++++++++
Whatsapp voice call data usage (based on my research):
a one-minute voice call will use around 400KB to 1MB, so lets considere 1MB (worst case).
++++++++++++++

Based on the info above, your major problem would be vídeo calls and file transfers.

According to the Whatsapp FAQ: https://faq.whatsapp.com/846009687015768/?helpref=platform_switcher&cms_platform=windows-desktop&cms_id=846009687015768&draft=false
Voice calls will use UDP and TCP ports 3478, 3480, and 3484, which we didn't open, so that should already be blocked.

Next step would be to test, what is working and what isn't, with the suggested configuration, test everything.

Gertjan · Feb 21, 2025, 2:51 PM

@am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

note: I do not know how to open logs

Goto Status > System Logs

pfBlocker, a nice short cut is hiding in plain site :

login-to-view

Or Firewall > pfBlockerNG > Log Browser and pick your file in de second pull down box.

For the no-mouse solution : console or SSH, menu option 8 and then

cd /var/log