How to block undesired websites using pfSense??
-
Hello,
I'm a newbie in pfSense... I would like to block some URLs like Facebook using pfSense firewall. So i created an IP Table alias of Facebook autonomous system (using WHOIS utility and the CRON package to automat the update process).
But, after creating the rule that would block access to that website, it is still available from user IP address which has access rule under the block rule.
I don't know how i would debug this and make it work correctlry.
Thank you. -
@lotfidz Hi, pfblockerNG with DNSBL and Easylist could be a way to get rid of ennoying commercials and you can take a look and read about squid. A Site of the complexity of facebook you cannot block only by firewall rules.
-
@fireodo hello, thank you for your help.
As i read, in order to user DNSBL functions, i need to set all concerned computers DNS settings point to pfSense machine, is that right?
If yes, i cannot do that, because i have Active Directory DNS that users need to point to my DCs.
If not like that, could you please give more explanations?
Thanks in advance. -
@lotfidz If the pfsense is not the "master" in your network its difficult to filter these kind of things with DNSBL as your clients are bypassing the DNSBL. In this case I dont know if the pfsense is the right approach ...
-
There is a relatively simple solution. Let your LAN clients continue to point to the Active Directory DNS servers, but set up your AD DNS boxes to "forward" external domain requests to Unbound on your pfSense box. Unbound will use the DNSBL and other tools. You can easily configure your AD DNS servers to forward DNS requests for domains they are not authoritative for to another DNS server (in this case, that would be your pfSense box).
-
@bmeeks hello and thank you for your reply.
But by using pfSense as a DNS Forwarder, to use DNSBL, the setting would be applied for every user, am i right?
Or maybe there's options to create excluded lists of ip addresses (people that can bypass DNSBL even if the block rules are set).
Thank you for your help.
Regards -
See this thread:
https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips -
Hello,
I believe that it's now blocked using SQUIDGARD, and creating a new URL Category named BLOCKED_SITES (that contains facebook.com twitter.com). Then in COMMON ACLs, i added a rule that applies BLOCKED_SITES (Target Rules now becomes !BLOCKED_SITES all).
I'd ask now, how can i authorize a group of hosts, to access those blocked sites.
Thank you for precious help. -
You have to define groups and then use group ACLs. Create a group that can access any site and then simply don't apply those blocks target categories to it.
https://www.netgate.com/docs/pfsense/book/packages/a-brief-introduction-to-web-proxying-and-reporting-squid-squidguard-and-lightsquid.html?#access-lists-aclsSteve
