@JonathanLee said in To Default Reject Or Block That is the Question.: I wanted to share this with you incase you ever asked the question what the difference its between block or reject... A block just drops the packet, without any other response. A reject sends an ICMP message back advising why. You want to use block on the WAN, so that the attacker has no confirmation there's something there. Use reject on the LAN, so that an issue can be identified.

I would concur using it as explicit proxy where your devices actual gateway points to pfsense vs the proxy should remove such issues what what your seeing with that 22 traffic you listed. Other option with putting such devices that are really internal to your network on their own transit network can eliminate asymmetrical flow issues.

@p2ranger @michmoor gave the link where it is explained for pfSense but it is not timebased: server: access-control-view: 192.168.1.69/32 blocksites view: name: "blocksites" local-zone: "youtube.com" static I don't think that there is a more integrated solution for youtube.com in pfBlocker. You can force save search for youtube though.

@viragomann & @Gertjan Thanks for your help! Managed to solve it with a floating firewall rule! I only tried to block it from the interface that I thought the traffic originated from first. But now I tried to add a floating rule that blocked the traffic from all interfaces that shouldn't have access to it, and it worked!

@bmeeks : Bummer. But I understand now. Thanks!

@dr_tech said in Possible to block certain websites using URL ?: Is such a provision available ? Yes, I thought pfBlockerNG would be a good solution. See the answer to your question at the attached link: https://forum.netgate.com/topic/138029/acl-s-support In particular, focus on the recommendation of @BBcan177 (maintainer and creator of pfBlockerNG)

@m0nji said in Whitelist-Ansatz für Windows- und Programmebene: Allen nicht explizit legitimierten (ausgehenden) Datenverkehr unterbinden: @jegr said in Whitelist-Ansatz für Windows- und Programmebene: Allen nicht explizit legitimierten (ausgehenden) Datenverkehr unterbinden: Snort+OpenAppID Application Filtering on pfSense ist vollkommen an mir vorbei gegangen. Danke für die Richtigstellung. Kein Problem, gerne. Steht leider noch auf meinem ToDo Zettel zum Testen aber leider dank Krankheit und Arbeit noch nicht dazu gekommen ;)

Yeah looks like your whited out a huge amount of rules? Also even the rules can see make no sense You have an any rule that says hey DMZ net if your NOT going to lan net your allowed. Well below that a rule that says blocking going to 192.168.2/24 which is Dev Net? Why would that not be allowed in the dmz to NOT lan net rule? Do you have downstream networks other than dmz net connected... And then below another rules that says block dev net, is that not 192.168.2/24 that you already blocked above, etc. Please do not hide rules if you want help.. Its very simple. Rules are evaluated top down as traffic enters an interface. If a rule matches it wins and no other rules are evaluated. So run through your rules from the top. To see if traffic should be allowed or blocked. If you have a rule that blocks before an allow - and your still seeing allowed traffic then you prob have to clear a state from before you created that rule. As to that rule on top blocking - if this firewall then it should. But don't know about his states, nor what he has in the alias.