Blocking all sites, except one or two sites with firewall rules ONLY

cinlung

Hi all

I know this may have been asked many times, both for the purpose and the reasons, but bear with me and please help me find out this rules.

What I am trying to do is to block all internet access for all users on all ports, except for two conditions:
1. Certain ports like email, secure mail ports, etc are OK to access.
2. Certain web sites like www.google.com, www.mycompanysite.com are ok. But other sites are not allowed.

So, this is what I did:
a. I set up two aliases, one for allowed ports and one for allowed IPs and URLs (google.com, teamviewer.com, etc)
b. I set a firewall rule that if the source is * and target is not <allowed urls="">then reject.
c. I add another rule that if the source is * and target is any with ports listed in the <allowed ports="">then pass the packets.

For some reasons, I cannot access google.com and teamviewer.com even if I set the FQDN such as www.google.com and www.teamviewer.com
It seems all websites are blocked.

But some sites are allowed to pass, the ones with specific IP (IP based URLs). If I want to block a certain URLs then using this method will work. But to bypass some domain, it did not work.

Please check attached pictures and I really do not want to use squid if possible to make my firewall as light as possible.

All helps are appreciated. Thank you.

Rules.png_thumb
![Allowed Alias.png](/public/imported_attachments/1/Allowed Alias.png)
![Allowed Alias.png_thumb](/public/imported_attachments/1/Allowed Alias.png_thumb)</allowed></allowed>

coxhaus

My one thought is you need to allow DNS through. This will allow you to resolve valid sites.

cinlung

@coxhaus:

My one thought is you need to allow DNS through. This will allow you to resolve valid sites.

I tried to pass all possible dns servers listed in my pfsense. Still no use. Input them in the allowed ip alias and pass hem in the firewall rules.

coxhaus

I don't read it that way.

First rule allow DNS.
Second rule allow sites.
Third rule allow ports.
Fourth rule block all.

cinlung

@coxhaus:

I don't read it that way.

First rule allow DNS.
Second rule allow sites.
Third rule allow ports.
Fourth rule block all.

Can I put the first and second rule as one alias (allowed sites)? I use any protocol and any ports. And I did that and even add more.

First rule: Allow DNS IPs
Second rule: Allow sites
Third Rule: Allow Ports
Forth Rule: Block all

Some sites with specific ip specified in the allow sites alias works. But sites with many IP possibilities and FQDN still cannot be called. For example: google.com

When I call google, it will be rejected.

Anyone can help??

cinlung

Anyone at all can help me?