Is pfBlockerNG able to block all outbound traffic except whitelistet sites?

RolandW

I would like to block all outbound traffic except for a few whitelisted destinations (e.g. Windows updates) for security reasons. Whitelisting must be on domain name basis, not on IP-number basis, so that I cannot use IP rules for that.
Even though pfBlockerNG was not made for that purpose (but for blacklisting malware/adware sites), I suspect that it might be able to do, what I need.

So my questions:
Is pfBlockerNG able to block all outbound traffic with the exception of a few whitelisted domain names?
Will it be possible to install pfBlockerNG on an Netgate SG1100 or do I need a more powerful machine?

NollipfSense

@RolandW Remember, a quick search would reveal the answer, since each week at least one person asked and received; also, the firewall already blocks all except what you allow...

RolandW

Dear NollipfSense,

thanks for the answer!
unfortunately I was not able to find the answer to my questions even after performing an extended search, that's why I asked here.

Your write, that the firewall blocks all except what I allow. By default, it's the other way round: outbound traffic is allowed unless denied. I know, that I can change that easily by creating a rule in pfSense. The point is, that whitelisting on pfSense level is possible only for IP-adresses. When whitelisting to allow Windows updates for example, I have to whitelist domain names ("windowsupdate.microsoft.com"), that are represented by hundreds of IP adresses. So whitelisting in pfSense itself is not helpful.

That's why I thought, I could perform whitelisting on pfBlockerNG level, that has an option for whitelisting domain names.

However, the question is, how pfSense and pfBlockerNG interact:

1. does whitelisting in pfBlockerNG affect only those sites, that are blocked in pfBlockerNG?

or

2. can I allow outbound traffic to sites by whitelisting them in pfBlockerNG, even if outbound traffic is generally denied on pfSense level?

or

3. is it possible to deny all outbound traffic in pfBlockerNG and whitelist the domains needed?

For a experienced user of pfSense and pfBlocker NG it might sound supid what I'm asking, however I was not able to find an answer to my question regarding the "interaction" of pfSense and pfBlockerNG. I would be very grateful, if you could give me a hint by answering my three questions ;-)

JeGr

@RolandW said in Is pfBlockerNG able to block all outbound traffic except whitelistet sites?:

does whitelisting in pfBlockerNG affect only those sites, that are blocked in pfBlockerNG?

Actually that depends on what whitelisting you are talking about as pfBlocker has two things it can block. DNS Blacklists and via IP Feeds/Lists. DNS Blacklisting interacts with Unbound (the default DNS Resolver) whereas IP Feeds can auto-create rules (or aliases to be used in rules).

So it depends what exactly you are asking.

RolandW

Dear JeGr,
what I want to do is basically simple: block all outbound traffic except for a few whitelisted domains.

It's probably not possible to block all traffic using DNS blacklists with wildcards, neither it seems feasible to create IP feeds (that, as I understand, become aliases in pfSense rules), that block everything (1.1.1.1/0 ???), because they would probably be too long. Therefore, if whitelisting in pfBlockerNG is only meant for making exceptions to DNS blacklists, I probably cannot use pfBlockerNG for what I want to do.

Have you got another idea what I could do?

Roland

xalex1977

hi,
I'm interested too ....
I should only allow these domains:
*.larksuite.com
*.ibytedtos.com
*.byteoversea.com
*.larksuitecdn.com
and deny all the internet;
even setting up a proxy squid, Larke software needs to have direct access to these domains without going through the proxy;
how do i configure pfBlockerNG?
client PCs use a windows active directory server as dns,
how can I do it?
thanks

NollipfSense

@RolandW It seems that you have the answer ... you claimed in your first post that you had a few IPs ... the correct action is to create aliases with the FEW IP addresses and then create LAN firewall rule to allow those and block all else. You really don't need pfBlockerNG.

xalex1977

@NollipfSense said in Is pfBlockerNG able to block all outbound traffic except whitelistet sites?:

@RolandW It seems that you have the answer ... you claimed in your first post that you had a few IPs ... the correct action is to create aliases with the FEW IP addresses and then create LAN firewall rule to allow those and block all else. You really don't need pfBlockerNG.

I should only allow these domains:
*.larksuite.com
*.ibytedtos.com
*.byteoversea.com
*.larksuitecdn.com
and deny all the internet;
how do i configure pfBlockerNG DNSBL?

Thanks

NollipfSense

@xalex1977 See the post above yours! You don't need pfBlockerNG ... here is a starting idea (see image below), then create a firewall rule to allow/pass any protocol from LAN net to destination (my connection Alias) then add another firewall rule below the first blocking all other connections. Help yourself from this info.

xalex1977

@NollipfSense but with these aliases can not unlock all subdomains or with the latest versions also work for subdomains?

NollipfSense

@xalex1977 said in Is pfBlockerNG able to block all outbound traffic except whitelistet sites?:

@NollipfSense but with these aliases can not unlock all subdomains or with the latest versions also work for subdomains?

You won't need pfBlockerNG and not sure why you think it would not work for any subdomains ... remember, you could add up to 3,000 domains or subdomains to the alias my connection; so, stop rolling your eyes

xalex1977

@NollipfSense unfortunately from the software specifications I don't know the names of the subdomains and I think they change constantly, thanks for the help

NollipfSense

@xalex1977 You should start your own thread.

jhaeu90

@nollipfsense

You won't need pfBlockerNG and not sure why you think it would not work for any subdomains ... remember, you could add up to 3,000 domains or subdomains to the alias my connection; so, stop rolling your eyes

I have to bring this up again because I'm in a similar position:

I want to block all outbound traffic on 443 except a few whitelisted domains (teamviewer, windowsupdate).
I tried it with your approach of definining an alias with URLs but I'm always running into the problem that I can't whitelist every subdomain.
For example Windows update: there is a huge amount of subdomains that I would have to whitelist for Windows update to work... xxx.microsoftupdate.com

Can I use pfblocker for this and blacklist all except a whitelist with domains (including subdomains)? For example, allow access on 443 to *.microsoft.com . To my knowledge, this isn't possible with firewall rules only.

RolandW

@jhaeu90
I meanwhile figured out, how to do that: you need squid and squidguard. All http and https traffic (ports 80 & 443) then goes through squid/squidguard, the rest goes through the firewall.

In squid enable "Transparent http Proxy" & "SSL filtering", "splice all" intercept interface "LAN".

In squidguard create a "target category", in the "Domain List" put in all domains, that should be allowed. Then, under "common ACL" open the "Target rules list", set your newly created list to allow, and for "default access (all)" -> deny. Thats it!

To allow Windows updates I figured out by trial and error that you need to allow a lot of domains (not only windowsupdate.com)

NollipfSense

@jhaeu90 It might be easier to use firewall alias for all the sites you want to route via 443 and create a firewall .

jhaeu90

@rolandw
Thank you, this solved it for me.

CZvacko

If Squid/LightSquid/SquidGuard becomes deprecated, I need some alternative to block everything except whitelist. Same solution as @RolandW wanted, i.e. whitelist domains using WILDCARDS like *microsoft.com to include subdomains.
Firewall rules can't be used for that, eventually @RolandW used squid and squidguard, but that's no longer an option.
So can this be done using pfBlockerNG? I have searched the forum for this but haven't found it.

SteveITS

@CZvacko it’s been many years but long ago we had a client on a restricted Windows Server network (not pfSense). IIRC in Windows DNS Server we forwarded selected sites (so, domain override) to public DNS, and disabled using root servers which is a checkbox on Windows. So nothing else resolved. Maybe similar will work on pfSense?

keyser

@CZvacko I don’t think you can achieve exactly that with pfBlockerNG.

PfBlockerNG has a IP block feature that can be used both as a blocking and whitelisting option and that would be great to use - except you have no easy way to create the “positive” list with IP addresses of every subdomain.

PfBlockerNG also has a DNS Blacklist option with a wildcard subdomain blocking - which is exactly what you want if it could be turned around as whitelisting feature. But I as far as I can figure there is no way to do that because what it really does is make the DNS server resolve all those names as a local or 0.0.0.0 address rather than actually resolve them.