Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking everything except...

    Scheduled Pinned Locked Moved pfBlockerNG
    7 Posts 3 Posters 1.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • OceanwatcherO Offline
      Oceanwatcher
      last edited by

      I got a tip that pfBlockerNG was the right tool for this, so I come here to ask about a specific situation I have with a client.

      They need to block everything except a few domains.

      So they basically would like to have some whitelisted domains, and the problem of course is that some of these may use a CDN or otherwise use multiple IP addresses.

      What is the best way of getting this done? Rules, setups etc.

      This block has to happen for all traffic from a specific VLAN. Other VLAN's should not be affected.

      I know there are no prefect solution. But this is surprisingly often a question that comes up.

      In this case, it is a place for editing film and TV. Their editing systems should not have access to internet at all, except for a few sites they need to update software and access user manuals.

      Regards,

      Oceanwatcher
      2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover

      1 Reply Last reply Reply Quote 0
      • NollipfSenseN Offline
        NollipfSense
        last edited by NollipfSense

        This is such a common question that had you search the forum you would have multiple answers. In your case, all you need to do to block all traffic to that specific VLAN is a firewall block rule. I would even go further by creating an alias of that VLAN then use two floating firewall rules with the quick set enabled, then set direction to in for the first as well as direction out for the second...you won't need to whitelist in pfBlockerNG.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        OceanwatcherO 1 Reply Last reply Reply Quote 0
        • OceanwatcherO Offline
          Oceanwatcher @NollipfSense
          last edited by

          @NollipfSense Thank you very much.

          How would you go about to open for those domains that they need acess to?

          Regards,

          Oceanwatcher
          2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover

          J NollipfSenseN 2 Replies Last reply Reply Quote 0
          • J Offline
            jdeloach @Oceanwatcher
            last edited by

            @Oceanwatcher If you are using the pFBlocker-devel program, you can Whitelist the domains that you do not want blocked.

            OceanwatcherO 1 Reply Last reply Reply Quote 1
            • NollipfSenseN Offline
              NollipfSense @Oceanwatcher
              last edited by

              @Oceanwatcher said in Blocking everything except...:

              @NollipfSense Thank you very much.

              How would you go about to open for those domains that they need acess to?

              So, are you saying that the VLAN needs to have access to a few sites? If so, what I described above wouldn't work as it blocks all. However, as jdeloach said, you can add those sites to whitelist.

              pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
              pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

              OceanwatcherO 1 Reply Last reply Reply Quote 0
              • OceanwatcherO Offline
                Oceanwatcher @NollipfSense
                last edited by

                @NollipfSense And that is exactly why your first answer did not make any sense at all. It is a good practice to read the whole post before answering. 😉 You even went so far as to voice your opinion in a different sub-forum here based on your completely wrong understanding of the subject.
                I appreciate the willingness to answer, though!

                Regards,

                Oceanwatcher
                2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover

                1 Reply Last reply Reply Quote 0
                • OceanwatcherO Offline
                  Oceanwatcher @jdeloach
                  last edited by

                  @jdeloach Sounds exactly what is needed! Thank you!

                  Regards,

                  Oceanwatcher
                  2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.