How to block the websites

mahesh2k

Hi friends,

i have installed the pfsense from vm vertual box successfully. then i have logged in to the pfsense with user name and password. but problem is i am trying to block the youtube and other website from firewall rules. for that i have created the aliases and rules in a firewall. then i am trying to access of it, it got accessed. so please help me how block the websites through firewall rules..

thanks
mahesh

wallabybob

A reset of firewall states is often required after making major changes to firewall rules: see Diagnostics -> States and click on Reset States tab.

Some web sites have multiple IP addresses. Have you catered for that possibility? If so, how?

mahesh2k

hi friend,

i was created aliases in firewall then add the rule for youtube blocking. after that i am trying to open youtube it got accessed. so please help me how to block it. and if possible please send us snap shorts  for the websites blocking.

thanks

mahesh

wallabybob

@mahesh2k:

i was created aliases in firewall then add the rule for youtube blocking. after that i am trying to open youtube it got accessed. so please help me how to block it. and if possible please send us snap shorts  for the websites blocking.

Since you haven't answered my question about multiple IP addresses I assume you haven't catered for that possibility. On your pfSense system give the shell command```
nslookup www.youtube.com

mahesh2k

hi friend,

as you told that i have used the command of nslookup on shell. and i have taken all IPs for youtube related and i have added in aliases list. then in rules i have blocked it. as you mentioned that in a states i have reset it. but still i am able to access the youtube.

please help me in a further…..

thanks
mahesh

wallabybob

@mahesh2k:

please help me in a further…..

Please post a reply with attached screenshots showing the alias definition and the firewall rules on the relevant interface.

mahesh2k

hi friend,

thanks for your replay,

as you told that i have done in shell by using the command of nslookup.  please find the aliases snapshot and firewall rules snapshot. if i have made any mistakes please let me know.

mahesh2k

hi friend,

thanks for your replay,

please find the firewall rules snapshot. if i have made any mistakes please let me know.


wallabybob

@mahesh2k:

please find the firewall rules snapshot.

You have posted details of one rule. Good try but not quite what I wanted: Firewall -> Rules, click on LAN tab. Firewall rule processing stops on the first match, hence order is significant. What you posted doesn't show the rule order.

mahesh2k

Hi friend,

as you said that i have sent you firewall rule order and even i have assigned the rule on a top list of LAN..
anyway please check once again and please let me know what have mistaken i have done.

please help me..

thanks
mahesh


wallabybob

Your rules look fine.

However I wonder if your alias includes all the appropriate youtube addresses. On my box a lookup of www.youtube.com returns 74.125.237.x where x is in [0..9, 14] none of which I recall seeing in your alias. There are some services that return different addresses depending on the perceived location of the requester.

Perhaps your client is using a a different name server to lookup www.youtube.com than you used. For example if I lookup www.youtube.com on my ISP's or Google's DNS I get the IP addresses listed above but if I lookup www.youtube.com on OpenDNS I get a completely different set of addresses: 74.125.237.x where x is in [96..105, 110]

mahesh2k

Hi friend,

now what i have to do. please help me. but in my system i am able to get the list of 74.125.236.X to 110 only. please help me to block youtube.

thanks
mahesh

wallabybob

@mahesh2k:

now what i have to do. please help me. but in my system i am able to get the list of 74.125.236.X to 110 only. please help me to block youtube.

In principle what you need to do is:
1. Find all the IP addresses that youtube.com maps to on the accessing system.
2. Put those IP addresses in an alias on the firewall.
3. block appropriate access to the alias in firewall rule on the interface in which the access enters pfSense.
4. reset firewall states.

If you have done all this and it "doesn't work" then you will need to provide more details. The details are important. For example, perhaps you haven't correctly setup your virtual machine environment so that access to youtube.com goes through the pfSense VM. Perhaps when you say you can access youtube.com you mean you get a ping response from youtube.com but you should expect that because your firewall rule blocks TCP access and ping doesn't use TCP.

tim.mcmanus

Here are a couple of alternative ways to do this.  I find it somewhat challenging to maintain a block list as it can quickly become a full time game of cat and mouse.

1 - Set up your own internal DNS server and have all of your clients use that for DNS.  Make an entry for *.youtube.com and have it direct to an internal static web page that says something like, "This web site is blocked by the network policy.  Please contact your network administrator for details."  This works very well.  You would also want to block outdoing DNS queries from your LAN but allow them from your DNS server.  This is pretty easy to set up and maintain.

2 - You could use an external service like OpenDNS to do the same thing.  They are a free service and you can configure pfSense to use them.  Their UI for blocking sites is pretty nice, and they do the work of keeping on top of which sites to block.  You would want to make a firewall rule on your LAN that would force all DNS queries to go to their DNS servers and block any queries that go to other external DNS servers.  This too is pretty easy to set up and is very low maintenance.

Blocking a very large and popular service that uses a combination of DNS and perimeter load balancing can be challenging, and YouTube is no exception.

mahesh2k

hi friend,

i have tried in all way to block the websites. but it is not,  i have a small doubt, with out licence of this pfsense is it working or not? if yes, where i did the the mistaken please help me. even i have installed the packages like squid, light squid and squid grand. after that i have setup the  proxy server settings also. but no use…. please help me.. if possible send me any snapshots.

thanks & regards
mahesh

stephenw10

@mahesh2k:

i have a small doubt, with out licence of this pfsense is it working or not?

Yes it is. pfSense is free and open source there are no licence requirements for it's use.

You simply need to find out what IP(s) your clients are using to connect to youtube and block them.
Run a packet capture on LAN and filter for your clients IP. Open youtube on the client. Check the capture logs.
Unfortunately when you open a web page like youtube.com you will open connections to many places so you might have to experiment to find which is actually youtube.

Steve

Nazilus

Firewall Rule:

Protocal> any
Source> Lan subnet

should work in a minute

stephenw10

@Nazilus:

Firewall Rule:

Protocal> any
Source> Lan subnet

should work in a minute

Yep that will 'block the websites', all of them.  :D

Steve

Nazilus

BTW, i only put "youtube.com" in Aliases with "HOST" type

it work for me as some point.

but what i'm trying to looking here is

i got 3 LINE of internet. i want to point this youtube site to some LINE that i want to.

But this won't work at all!

Nazilus

DONT TRY TO FIND YOUTUBE IP. LOL i been try before. massive of them on this earth.