Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block Every Website ( https + Http ) And Allow Some !! Need Help

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 5 Posters 750 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rebazov
      last edited by

      Hi All ,

      I highly appreciate your help with the following :

      I need to provide Internet Access for a user and he only needs to access 1 website ,

      So I want to block everything for security reason .

      I have tried Squid Proxy and i cold block all Http websites and allow only my needed one ,

      But all https websites are working and not blocked .

      could you please tell me what to do , or give me a solution for this .

      Many Thanks

      1 Reply Last reply Reply Quote 0
      • V
        Velcro
        last edited by

        Depending on the website you want to allow access to(does it have many IPs?), I would suggest you put a rule on the relevant interface as follows:

        Source=the device or device alias(assuming you have fixed IPs on your device)
        Destination=the website IP you want to allow access to
        Create an alias with the needed ports (80 and/or443) use that as the destination port(Assuming you want to harden the rule)

        You might need to add a rule prior to allow access to DNS(port 53) prior to the above rule…I assume the network has access to the internet? Make sure to clear "States" if you have already been allowing access to the internet.

        I believe it is called "white listing"...

        (*Some edits were made after posting)

        M 1 Reply Last reply Reply Quote 0
        • B
          belt9
          last edited by

          the basic idea would be to make two rules:

          The first rule for this user (top of the list) would be to allow access to the specific site. To get the best help please let us know exactly what site you want to allow, due to dynamic IP's the best way to handle this could range from very simple to using scripts. The general idea would be to allow access from the person in question (using a static IP assigned by you) to the site in question (most likely using a dynamic range of IP's).

          the second rule for this user would be to block the users access to everything. Since it's a known user on your LAN it would probably be better to reject than block so:
          REJECT * * * * * * …

          1 Reply Last reply Reply Quote 0
          • M
            marksantos @Velcro
            last edited by

            @velcro hi sir can you make a step by step how to make it.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Not many steps here. If it were me I would:
              Remove the any allow all rule on the interface for the subnet in question.
              Add a rule to allow DNS to the interface IP.
              Create an alias containing the IP addresses of the sites you want to allow.
              Add a rule to pass traffic from the subnet to that alias for TCP.
              If you really wanted to restrict further use a ports alias to allow only ports 80 and 443 as the destination too.

              BUT... that will only work well for sites that resolve to a single IP address or only if you have all the resolvable IPs in the alias. So it will not work for Facebook, Youtube etc. Or at least not well.

              Steve

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.