Youtube Blocking in pfblocker via IP
-
The file used, 'pfB_Blocked_YT_v4', can be found (afaik) here /var/db/aliastables/
Does that file include your WAN IP ?Not a real solution, more a workaround : what about a pass rule you create and place just above this pfB block rule so that it your WAN IP ?
Btw : Youtube uses 2000+ IPv4's. So, this week, the set you've listed is activate, it will change (all the time) in a couple of days/weeks/months. Blocking the big players is (Microsoft, facebook, apple, google, etc) is close to mission impossible as they have hired all the greatest network administrators to make your live harder. Worse, block those sites and your network guests will just leave your network (and start dealing with SIM cards ^^).
What will work is blocking all IPs that alphabet owns = block their ASN and then nothing will work anymore. Including www.google.com etc.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@antgalla We tried blocking YouTube for my son via ASN but could not get it to consistently block. We ended up using a View in unbound. To block for everyone you could set a domain override to nowhere. Remember to block DoH/DoT to force devices to use pfSense for DNS.
-
@Gertjan
The file used, 'pfB_Blocked_YT_v4', can be found (afaik) here /var/db/aliastables/ - its working after I edit the file via vi!
But when I reload the pfblockerNG/IP the problem returns
-
@SteveITS
I need to block website with specific device only. I can't used domain overrides because its blocking all devices.
-
@antgalla I have excellent news for you. :) In DNS Resolver settings try:
-
@SteveITS
Niceee, I will try it later! Can I put alias instead of IP? -
@antgalla said in Youtube Blocking in pfblocker via IP:
@SteveITS
Niceee, I will try it later! Can I put alias instead of IP?Itβs raw unbound config so I doubt it knows about pfSense aliases.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote π helpful posts! -
@antgalla said in Youtube Blocking in pfblocker via IP:
Can I put alias instead of IP?
Alias ?
Recall : aliases can't be used by firewall rule, they have to be resolved first. Aliases are by default re resolved every 5 minutes.
You still have to put in the host overrides in the DNS config, what @SteveITS showed is a good method, so it points to a non usable IP like 127.0.0.2.
If you don't put the host overrides in place, you'll get back the 'real' IPs - the ones that can change every 300 seconds.
300 seconds ? yes : check for yourself :
that list change all the time !
More details :[25.03-BETA][root@pfSense.bhf.tld]/root: dig www.youtube.com ..... ;; QUESTION SECTION: ;www.youtube.com. IN A ;; ANSWER SECTION: www.youtube.com. 237 IN CNAME youtube-ui.l.google.com. youtube-ui.l.google.com. 237 IN A 172.217.20.206 youtube-ui.l.google.com. 237 IN A 216.58.215.46 youtube-ui.l.google.com. 237 IN A 216.58.213.78 youtube-ui.l.google.com. 237 IN A 142.250.179.78 youtube-ui.l.google.com. 237 IN A 142.250.179.110 youtube-ui.l.google.com. 237 IN A 142.250.178.142 youtube-ui.l.google.com. 237 IN A 142.250.201.174 youtube-ui.l.google.com. 237 IN A 172.217.18.206 youtube-ui.l.google.com. 237 IN A 216.58.214.78 youtube-ui.l.google.com. 237 IN A 142.250.74.238 youtube-ui.l.google.com. 237 IN A 142.250.75.238 youtube-ui.l.google.com. 237 IN A 216.58.214.174 youtube-ui.l.google.com. 237 IN A 172.217.20.174 ....so 237 seconds left before the list changes ...
So chances exist that the firewall, your rule, blocks IPs that aren't used anymore, and new will pop up, the one you don't block (yet) .... to be take in account 300 seconds later, (and around we go) .... etc ...
Anyway, try things out for yourself.
-
@SteveITS
Appreciate your response on this matter.
But the main problem here is still included our ISP when Im blocking the youtube or netflix via Pfblocker IP.I do your suggestion to edit the /var/db/aliastables/Netflix or YT comment out the ISP, it works but when I reload the pfblockerNg IP the problem returns.
-
@antgalla said in Youtube Blocking in pfblocker via IP:
But the main problem here is still included our ISP when Im blocking the youtube or netflix via Pfblocker IP.
I do your suggestion to edit the /var/db/aliastables/Netflix or YT comment out the ISP, it works but when I reload the pfblockerNg IP the problem returns.
pfBlockerng creates these files with the info you (?)'ve entered in the pfBlockerng GUI.
Can you show with image how you've set up these 'YT' and 'Netflix' IP lists so I can reproduce this ? -
@antgalla said in Youtube Blocking in pfblocker via IP:
But the main problem here is still included our ISP when Im blocking the youtube or netflix
You can easily white list particular IP address such as a range within that used by your ISP. Create alias containing the white list and add a rule to allow these addresses which is evaluated prior to the pfblocker rule.
If your ISP sources netflix/youtube data you will need to ensure the white list does not include the addresses your ISP uses for that.
@Gertjan said in Youtube Blocking in pfblocker via IP:
he 'real' IPs - the ones that can change every 300 seconds.
I agree data scraping by the very big USA companies is annoying.
For devices using pfsense DNS, adding host over-rides / DNS blocking is an excellent idea.Where that does not achieve the desired results IP blocking could still be used however doing so requires an IP alias which support persistence (old IP addresses kept in the alias for a configurable time). Doing so exploits the fact google/facebook/amazon can change where new lookups will go, but they have to keep all old addresses active till all normal user applications stop using them (otherwise their application randomly stops working for normal users). By far the majority of relevant transmissions would then be caught as pfsense could then be configured to update the alias more often than most user devices DNS updates.
Unfortunately pfsense has not yet added this alias option. Doing so would require maintaining an IP list with last DNS lookup time, then deleting only those past the expiry time.
