Blocking ALL Domains, Whitelist Only Some Domains

zoro_2009

Hello,

As the title says, I want to block the whole Internet, and only allow a list of the desired domains to be visited !
I've read every article about PfBlockerNG and played with it quite a while and there seems to be noway of it capable of doing so !

Basically the same as this guy

Is there any way to accomplish what I want ?

Thanks !

johnpoz

yeah use proxy

zoro_2009

If you mean by a proxy Squid, then I can't do that as that will require installing certificate and such on clients devices ...
I am looking for a solution using pfBlockerNG preferably

johnpoz

No it doesn't you do not have to put in certs on clients to allow https, you only need to do that if your going to do MITM filtering of the https url. All clients connects to a https url will be in the clear (connect) and you can filter on the parent domain. Ie you could block/allow https://www.domain.com what you can not filter on with a proxy is https://ww.domain.com/something

Since the proxy will never see /something unless your doing in MITM and then your client would have to trust the cert your proxy hands it instead of the actual cert from www.domain.com

zoro_2009

Pardon my ignorance, but, how will SquidGuard (for example) will know what site am I visiting if it HTTPS ...
pfBlockerNG is no problem because it filters based on DNS !

Actually I've just tried SquidGuard and indeed it doesn't see any HTTPS, it blocks HTTP but not HTTPS !

johnpoz

Did you enable filtering of HTTPS... Your client will do a CONNECT with the parent fqdn, this is the clear. But you have to enable it in squid.

You need to set your browser to point to proxy, you can not do transparent filtering this way I do not believe because the client will not send the CONNECT with the fqdn. But you can auto setup clients to use your proxy via wpad, etc.

zoro_2009

I see ..
The problem is that there are a lot of clients in our network, so the only way to use Squid is to enable "transparent mode" ,therefore BYOD and connect is necessary !

By enabling SSL filtring, an error will be triggered in clients' browsers right ?

johnpoz

There could be 10 thousands clients.. None of them under your control - you just hand out the proxy to use via auto discovery.

Clients that have auto discovery turned off don't work would get out.. Or run a transparent proxy that gives the a page that says you have to use explicit proxy or leverage auto discovery.

If you wanting to whitelist only XYZ, not sure how this would be a problem.. The error some browser got trying to go to some https site that you blocked would be dependent on what you served up as your standard block page.

johnpoz

This post is deleted!