Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block Facebook.com

    Scheduled Pinned Locked Moved pfBlockerNG
    19 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcury Rebel Alliance
      last edited by

      Browser detects MITM, that is not pfblocker's fault, it's just like https works.

      dead on arrival, nowhere to be found.

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @mcury
        last edited by

        @mcury So, are you saying the browser reacts first before it gets to pfBlockerNG? That seems to make sense!

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • M
          mcury Rebel Alliance
          last edited by

          There is a certificate when the connection goes through https.
          The site you are calling in your browser is facebook.com, your browser is expecting to receive a response from facebook.com
          The certificate presented by the website, should contain the same name you called, in this case, facebook.com.

          Pfblocker is trying to present you a block page, that doesn't is facebook, so your browser cuts the connection.

          ps: sorry for my english

          dead on arrival, nowhere to be found.

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by NogBadTheBad

            Basically you need to trust the pfBlocker self signed cert.

            http:-

            Screenshot 2020-01-17 at 16.01.34.png

            https:-

            Screenshot 2020-01-17 at 16.01.53.png

            Notice the padlock ?

            Screenshot 2020-01-17 at 16.02.02.png

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • M
              mcury Rebel Alliance
              last edited by

              I don't think that will help either, see, the pfblocker certificate doesn't contain the facebook.com as a valid dns name.

              Check the facebook certificate for the part: DNS alternative names

              dead on arrival, nowhere to be found.

              NogBadTheBadN 1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @mcury
                last edited by NogBadTheBad

                @mcury

                Screenshot 2020-01-17 at 16.16.17.png

                Screenshot 2020-01-17 at 16.18.24.png

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                1 Reply Last reply Reply Quote 0
                • M
                  mcury Rebel Alliance
                  last edited by

                  So, it worked with safari, how about firefox, or chrome?

                  dead on arrival, nowhere to be found.

                  NogBadTheBadN 1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad @mcury
                    last edited by NogBadTheBad

                    @mcury

                    Don't they both do DNS over HTTPS, so they'd bypass pfBlocker ?

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    NollipfSenseN 1 Reply Last reply Reply Quote 0
                    • M
                      mcury Rebel Alliance
                      last edited by

                      You can disable that behavior

                      dead on arrival, nowhere to be found.

                      NogBadTheBadN 1 Reply Last reply Reply Quote 0
                      • NogBadTheBadN
                        NogBadTheBad @mcury
                        last edited by

                        @mcury

                        If you have firefox or chrome installed 😉

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          mcury Rebel Alliance @NogBadTheBad
                          last edited by

                          @NogBadTheBad yeah :) only in that case.

                          dead on arrival, nowhere to be found.

                          1 Reply Last reply Reply Quote 0
                          • NollipfSenseN
                            NollipfSense @NogBadTheBad
                            last edited by

                            @NogBadTheBad said in Block Facebook.com:

                            @mcury

                            Don't they both do DNS over HTTP, so they'd bypass pfBlocker ?

                            @mcury said in Block Facebook.com:

                            You can disable that behavior

                            Yes, I have disabled the behavior in Firefox and I mostly use Firefox and sometimes Safari. However, not in all cases I get "site had been blocked by network admin" sometimes I get a blank page...so; I just edit CN-DNSBL to trust it in Firefox.

                            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              mcury Rebel Alliance @NollipfSense
                              last edited by

                              @NollipfSense

                              My previous tests with firefox didn't work.
                              My best guess is that firefox was trying to compare the fqdn called with the server CN and/or dns alternatives.
                              Remember, I'm not a specialist, and I could be wrong, so don't take everything I said as a last word.

                              I was facing a lot of issues to get my LE certificate to work, and to get that, I had to add in my certificate, all my subdomains as alternative names.

                              If Firefox is working today, with dnsblocker webpage for https, it's good to know, maybe I'll try it later :)

                              dead on arrival, nowhere to be found.

                              NollipfSenseN 1 Reply Last reply Reply Quote 0
                              • NollipfSenseN
                                NollipfSense @mcury
                                last edited by

                                @mcury Yes, it's working with Firefox...

                                Screen Shot 2020-01-17 at 11.11.45 AM.png

                                pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                M 1 Reply Last reply Reply Quote 1
                                • M
                                  mcury Rebel Alliance @NollipfSense
                                  last edited by

                                  @NollipfSense I'll for sure try to import the DNSBL cert to my browser later in the day.
                                  My dns over https is also disabled :)

                                  dead on arrival, nowhere to be found.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.