<![CDATA[I want to Block all websites and allow only some]]>Hello,

I am new with Pfsense. Just have installed and added Squid , squidGuard and Lightsquid packages. I have configured them like manual says but the problem is that there are a lot of websites that LAN part can access even I have Deny all categories on blacklist? Can you help how to block all webistes and prevent users from searching from search engines?
Thank you in advance

]]>https://forum.netgate.com/topic/128290/i-want-to-block-all-websites-and-allow-only-someRSS for NodeThu, 11 Jun 2026 19:44:23 GMTFri, 16 Mar 2018 12:31:46 GMT60<![CDATA[Reply to I want to Block all websites and allow only some on Fri, 23 Mar 2018 15:21:50 GMT]]>UPDATE
I have created a CA and activate HTTPS/SSL Interception with this configuration :
SSL/MITM Mode –------------- Splice All
SSL Intercept Interface(s)----------- LAN
SSL Proxy Port----------3129
SSL Proxy Compatibility Mode ----------- Modern
DHParams Key Size-------------2048
CA------------- CA Filter (the cetificate that I have created)

other fields are default

At this point everything is ok the blacklist is blocked and the whitelist works but after some minutes some of whitelist goes black for example gmail.com. I have add it as gmail.com / mail.google.com in both Target Categories as whitelist and at Squid Proxy as whitelist at ACL.

  • I have export the certificate and installed on Windows computer.
]]>https://forum.netgate.com/post/756994https://forum.netgate.com/post/756994Fri, 23 Mar 2018 15:21:50 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Wed, 21 Mar 2018 20:16:10 GMT]]>I have successfully done this entirely with aliases and pfsense rules only, on specific LAN interfaces. It is a very time consuming task to do this effectively by just using "Firewall Rules".

To be successful, you must be running Wireshark on a workstation on the LAN. Set the filter in Wireshark to DNS only, and resolve names while you browse the target website.  Observe ALL the coincident domains and Content Distribution Service providers ( CDN networks) needed to deliver the target website (Akamai, Fastly, ….)

Smaller independent sites are relatively easy to isolate. Anything hosted on AWS is virtually impossible isolate.

In some cases the best solution is to derive IP lists in pfblockerng using the ASN lookup feature to create "Aliase permit" list rules which  you can refer to from the firewall configuration screens. For example Facebook has its own ASN so its very easy to filter it either by blocks or permits. (ASN = Autonomous System Number)

Anyway that is the concept methodology in broad terms, to achieve your objective by just using "Firewall Rules". It's as much as I can help you with

Good luck !!

]]>https://forum.netgate.com/post/756670https://forum.netgate.com/post/756670Wed, 21 Mar 2018 20:16:10 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Wed, 21 Mar 2018 09:37:25 GMT]]>I have done all as you said but it still dont work (after every change I click Apply at general settings) the webistes added to whitelist stay always loading and at the end shows that the site take too long to respond. I don't know what to do we are very confused at this point

]]>https://forum.netgate.com/post/756487https://forum.netgate.com/post/756487Wed, 21 Mar 2018 09:37:25 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Mon, 19 Mar 2018 17:30:00 GMT]]>And each time you're going back to the General settings tab, clicking Save then Apply?

It's been awhile since I've setup a whitelist but it was working for me.  Make sure that it's order is first.

]]>https://forum.netgate.com/post/756202https://forum.netgate.com/post/756202Mon, 19 Mar 2018 17:30:00 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Mon, 19 Mar 2018 16:49:50 GMT]]>Its the same thing even when use allow

]]>https://forum.netgate.com/post/756196https://forum.netgate.com/post/756196Mon, 19 Mar 2018 16:49:50 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Mon, 19 Mar 2018 16:41:27 GMT]]>What happens if you change the Whitelist selector from Whitelist to Allow in the Target Rules List?

]]>https://forum.netgate.com/post/756195https://forum.netgate.com/post/756195Mon, 19 Mar 2018 16:41:27 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Mon, 19 Mar 2018 16:32:08 GMT]]>

Next, show screens for squidguard: Common ACL and Target Categories.

![common acl-1.png](/public/imported_attachments/1/common acl-1.png)
![common acl-1.png_thumb](/public/imported_attachments/1/common acl-1.png_thumb)
![common acl-2.png](/public/imported_attachments/1/common acl-2.png)
![common acl-2.png_thumb](/public/imported_attachments/1/common acl-2.png_thumb)
![common acl-3.png](/public/imported_attachments/1/common acl-3.png)
![common acl-3.png_thumb](/public/imported_attachments/1/common acl-3.png_thumb)
![Target Cat-1.png](/public/imported_attachments/1/Target Cat-1.png)
![Target Cat-1.png_thumb](/public/imported_attachments/1/Target Cat-1.png_thumb)
![Target Cat-2.png](/public/imported_attachments/1/Target Cat-2.png)
![Target Cat-2.png_thumb](/public/imported_attachments/1/Target Cat-2.png_thumb)

]]>https://forum.netgate.com/post/756191https://forum.netgate.com/post/756191Mon, 19 Mar 2018 16:32:08 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Mon, 19 Mar 2018 14:27:57 GMT]]>You need to set rotation on your squid logs or they will fill up your drive eventually.  You also might want to edit the X-Forward headers to delete, disable VIA mode and suppress squid version.

Next, show screens for squidguard: Common ACL and Target Categories.

]]>https://forum.netgate.com/post/756157https://forum.netgate.com/post/756157Mon, 19 Mar 2018 14:27:57 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Mon, 19 Mar 2018 14:19:41 GMT]]>Attached I have send the conf for Squid proxy and Squid Guard. I have used as BlackList http://www.shallalist.de/Downloads/shallalist.tar.gz

After every change I click the Apply button  :)

1.png
1.png_thumb
2.png
2.png_thumb
3.png
3.png_thumb
4.png
4.png_thumb
sg-1.png
sg-1.png_thumb
sg-2.png
sg-2.png_thumb

]]>https://forum.netgate.com/post/756152https://forum.netgate.com/post/756152Mon, 19 Mar 2018 14:19:41 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Mon, 19 Mar 2018 13:27:54 GMT]]>Post screens of your config.  Remember that with squidguard, you must go back to the General settings tab and click Save then Apply for changes on any other tab to take effect.

By the way, there is a dedicated forum for squid & squidguard, the Cache/Proxy forum.

]]>https://forum.netgate.com/post/756140https://forum.netgate.com/post/756140Mon, 19 Mar 2018 13:27:54 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Mon, 19 Mar 2018 10:40:57 GMT]]>We use opendns and want to pass to Pfsense but the problem now is that the whitelist is not working

Closing 80/443 doesn't shut down you internet connection. Just all connections with a destination using port 80 and 443. These are the two that web servers - and web browsers use .
mail, dns, frp, ssh, vpn, etc etc etc etc will still work.

I know that other services will still work I only want to restrict them using the websites that the company dont allow.

I have blocked traffic for ports TCP 80/443 and it all fine with blocking all webistes but the problem now is that the whiteliste dont work.
I have add a Whitelist at Target Categories and configured as Whitelist at Common ACL and all other categories DENY.
Default access is Allow.
Also at Squid Proxy Server > ACL I have configured some websites as Whitelist.
Can you help how to solve this issue?

]]>https://forum.netgate.com/post/756103https://forum.netgate.com/post/756103Mon, 19 Mar 2018 10:40:57 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Mon, 19 Mar 2018 10:20:22 GMT]]>@albtech:

….  Can you help how to block all webistes and prevent users from searching from search engines?

All search engins ?
As stated, block all connections who have a destination with port 80 or 443 in it.
If not doing so, maintaining a "black" list will all  "search engines" is close to impossible.

@albtech:

Actually I dont have blocked ports 80/443. But if I do this the LAN side will still have access to internet right ?

Closing 80/443 doesn't shut down you internet connection. Just all connections with a destination using port 80 and 443. These are the two that web servers - and web browsers use .
mail, dns, frp, ssh, vpn, etc etc etc etc will still work.

edit : have a look at what OpenDNS can do for you.

]]>https://forum.netgate.com/post/756099https://forum.netgate.com/post/756099Mon, 19 Mar 2018 10:20:22 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Mon, 19 Mar 2018 09:56:14 GMT]]>I have blocked traffic for ports TCP 80/443 and it all fine with blocking all webistes but the problem now is that the whiteliste dont work.
I have add a Whitelist at Target Categories and configured as Whitelist at Common ACL and all other categories DENY.
Default access is Allow.
Also at Squid Proxy Server > ACL I have configured some websites as Whitelist.
Can you help how to solve this issue?

]]>https://forum.netgate.com/post/756095https://forum.netgate.com/post/756095Mon, 19 Mar 2018 09:56:14 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Fri, 16 Mar 2018 14:04:29 GMT]]>Actually I dont have blocked ports 80/443. But if I do this the LAN side will still have access to internet right ?

]]>https://forum.netgate.com/post/755759https://forum.netgate.com/post/755759Fri, 16 Mar 2018 14:04:29 GMT<![CDATA[Reply to I want to Block all websites and allow only some on Fri, 16 Mar 2018 13:34:45 GMT]]>What are you doing to force your users to use the proxy?  I assume you're blocking 80/443tcp on LAN?

]]>https://forum.netgate.com/post/755751https://forum.netgate.com/post/755751Fri, 16 Mar 2018 13:34:45 GMT