Blocking ALL Domains, Whitelist Only Some Domains
zoro_2009 last edited by zoro_2009
As the title says, I want to block the whole Internet, and only allow a list of the desired domains to be visited !
I've read every article about PfBlockerNG and played with it quite a while and there seems to be noway of it capable of doing so !
Basically the same as this guy
Is there any way to accomplish what I want ?
yeah use proxy
If you mean by a proxy Squid, then I can't do that as that will require installing certificate and such on clients devices ...
I am looking for a solution using pfBlockerNG preferably
No it doesn't you do not have to put in certs on clients to allow https, you only need to do that if your going to do MITM filtering of the https url. All clients connects to a https url will be in the clear (connect) and you can filter on the parent domain. Ie you could block/allow https://www.domain.com what you can not filter on with a proxy is https://ww.domain.com/something
Since the proxy will never see /something unless your doing in MITM and then your client would have to trust the cert your proxy hands it instead of the actual cert from www.domain.com
Pardon my ignorance, but, how will SquidGuard (for example) will know what site am I visiting if it HTTPS ...
pfBlockerNG is no problem because it filters based on DNS !
Actually I've just tried SquidGuard and indeed it doesn't see any HTTPS, it blocks HTTP but not HTTPS !
Did you enable filtering of HTTPS... Your client will do a CONNECT with the parent fqdn, this is the clear. But you have to enable it in squid.
You need to set your browser to point to proxy, you can not do transparent filtering this way I do not believe because the client will not send the CONNECT with the fqdn. But you can auto setup clients to use your proxy via wpad, etc.
I see ..
The problem is that there are a lot of clients in our network, so the only way to use Squid is to enable "transparent mode" ,therefore BYOD and connect is necessary !
By enabling SSL filtring, an error will be triggered in clients' browsers right ?
There could be 10 thousands clients.. None of them under your control - you just hand out the proxy to use via auto discovery.
Clients that have auto discovery turned off don't work would get out.. Or run a transparent proxy that gives the a page that says you have to use explicit proxy or leverage auto discovery.
If you wanting to whitelist only XYZ, not sure how this would be a problem.. The error some browser got trying to go to some https site that you blocked would be dependent on what you served up as your standard block page.
This post is deleted!