Limiting Outbound Destinations

  • We have web server behind pfsense that needs to access a variety of sites for various services (freight calculations, sales taxes, etc).  In order to really lock down the server, I want to block all outgoing access to anything other than those sites that are explicitly allowed.

    On another client, we use Sonicwalls (which we are happily replacing with pfsense in our new installation).  Sonicwall does have a couple of features that make this pretty easy.  It has the ability to create an address object (think Alias in pfsense) with a wildcarded name.  So I can create an alias called UPS which points to "*" - and the sonicwall worries about any address resolution.

    I can take this a step further by creating another Address Object (alias) that is a collection of other objects.  So after creating all of my allowed outgoing domains, I create a new object called "Permitted Outgoing Sites" and all of the individual go into it. I then create a single rule that has the destination of Permitted Outgoing sites and the various ports that are allowed - and just like that I'm done.  When we have a new vendor, I just add the alias, and add it to the parent record.

    I know I could do most of this in pfsense with inidividual entries, but it becomes a maintenance nightmare (if ip addresses change, or the vendors increase the number of web servers, etc).

    Am I missing something, or am I pretty much limited to creating the individual aliases?

  • You may want to use squid, with SquidGuard if the list is long (over a dozen or so I suspect).

    You'll need then to block outbound access to port 80 and 443 to stop people bypassing the filtering.  If you look at the various threads about Squid/SquidGuard in the packages forum you should get a good start.

  • Actually, you can already create an alias like '' but it only gets updated with one corresponding IP once when the filters are loaded initially.
    IMHO further support is planned for 1.3 - but as usual with this kind of versions - don't hold me liable for it being actually implemented in release. Whenever that will be anyway…

Log in to reply