Block Every Website ( https + Http ) And Allow Some !! Need Help

  • Hi All ,

    I highly appreciate your help with the following :

    I need to provide Internet Access for a user and he only needs to access 1 website ,

    So I want to block everything for security reason .

    I have tried Squid Proxy and i cold block all Http websites and allow only my needed one ,

    But all https websites are working and not blocked .

    could you please tell me what to do , or give me a solution for this .

    Many Thanks

  • Depending on the website you want to allow access to(does it have many IPs?), I would suggest you put a rule on the relevant interface as follows:

    Source=the device or device alias(assuming you have fixed IPs on your device)
    Destination=the website IP you want to allow access to
    Create an alias with the needed ports (80 and/or443) use that as the destination port(Assuming you want to harden the rule)

    You might need to add a rule prior to allow access to DNS(port 53) prior to the above rule…I assume the network has access to the internet? Make sure to clear "States" if you have already been allowing access to the internet.

    I believe it is called "white listing"...

    (*Some edits were made after posting)

  • the basic idea would be to make two rules:

    The first rule for this user (top of the list) would be to allow access to the specific site. To get the best help please let us know exactly what site you want to allow, due to dynamic IP's the best way to handle this could range from very simple to using scripts. The general idea would be to allow access from the person in question (using a static IP assigned by you) to the site in question (most likely using a dynamic range of IP's).

    the second rule for this user would be to block the users access to everything. Since it's a known user on your LAN it would probably be better to reject than block so:
    REJECT * * * * * * …

  • @velcro hi sir can you make a step by step how to make it.

  • Netgate Administrator

    Not many steps here. If it were me I would:
    Remove the any allow all rule on the interface for the subnet in question.
    Add a rule to allow DNS to the interface IP.
    Create an alias containing the IP addresses of the sites you want to allow.
    Add a rule to pass traffic from the subnet to that alias for TCP.
    If you really wanted to restrict further use a ports alias to allow only ports 80 and 443 as the destination too.

    BUT... that will only work well for sites that resolve to a single IP address or only if you have all the resolvable IPs in the alias. So it will not work for Facebook, Youtube etc. Or at least not well.