Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block undesired websites using pfSense??

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 5 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LotfiDZ
      last edited by

      Hello,
      I'm a newbie in pfSense... I would like to block some URLs like Facebook using pfSense firewall. So i created an IP Table alias of Facebook autonomous system (using WHOIS utility and the CRON package to automat the update process).
      But, after creating the rule that would block access to that website, it is still available from user IP address which has access rule under the block rule.
      I don't know how i would debug this and make it work correctlry.
      Thank you.

      fireodoF 1 Reply Last reply Reply Quote 0
      • fireodoF
        fireodo @LotfiDZ
        last edited by fireodo

        @lotfidz Hi, pfblockerNG with DNSBL and Easylist could be a way to get rid of ennoying commercials and you can take a look and read about squid. A Site of the complexity of facebook you cannot block only by firewall rules.

        Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
        SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
        pfsense 2.8.0 CE
        Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches.

        1 Reply Last reply Reply Quote 0
        • L
          LotfiDZ
          last edited by

          @fireodo hello, thank you for your help.
          As i read, in order to user DNSBL functions, i need to set all concerned computers DNS settings point to pfSense machine, is that right?
          If yes, i cannot do that, because i have Active Directory DNS that users need to point to my DCs.
          If not like that, could you please give more explanations?
          Thanks in advance.

          fireodoF 1 Reply Last reply Reply Quote 0
          • fireodoF
            fireodo @LotfiDZ
            last edited by

            @lotfidz If the pfsense is not the "master" in your network its difficult to filter these kind of things with DNSBL as your clients are bypassing the DNSBL. In this case I dont know if the pfsense is the right approach ...

            Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
            SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
            pfsense 2.8.0 CE
            Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              There is a relatively simple solution. Let your LAN clients continue to point to the Active Directory DNS servers, but set up your AD DNS boxes to "forward" external domain requests to Unbound on your pfSense box. Unbound will use the DNSBL and other tools. You can easily configure your AD DNS servers to forward DNS requests for domains they are not authoritative for to another DNS server (in this case, that would be your pfSense box).

              1 Reply Last reply Reply Quote 1
              • L
                LotfiDZ
                last edited by

                @bmeeks hello and thank you for your reply.
                But by using pfSense as a DNS Forwarder, to use DNSBL, the setting would be applied for every user, am i right?
                Or maybe there's options to create excluded lists of ip addresses (people that can bypass DNSBL even if the block rules are set).
                Thank you for your help.
                Regards

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  See this thread:
                  https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • L
                    LotfiDZ
                    last edited by

                    Hello,
                    I believe that it's now blocked using SQUIDGARD, and creating a new URL Category named BLOCKED_SITES (that contains facebook.com twitter.com). Then in COMMON ACLs, i added a rule that applies BLOCKED_SITES (Target Rules now becomes !BLOCKED_SITES all).
                    I'd ask now, how can i authorize a group of hosts, to access those blocked sites.
                    Thank you for precious help.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      You have to define groups and then use group ACLs. Create a group that can access any site and then simply don't apply those blocks target categories to it.
                      https://www.netgate.com/docs/pfsense/book/packages/a-brief-introduction-to-web-proxying-and-reporting-squid-squidguard-and-lightsquid.html?#access-lists-acls

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.