How to restrict custom websites with PfBlockerNG-Devel?



  • Hi All,

    I would like to restrict few custom website like gmail, yahoomail, dropbox, rediffmail, hotmail etc in our network with PfblockerNG-Devel.

    Similarly I need to restrict jobportal sites as well and some WebTV websites.

    How I can achieve it with PfBlockerNG-Devel package?

    Thanks,
    Ram.



  • Hi All,

    I tried to add a file at /var/db/pfblockerng/bl.txt.

    I have added the few websites names here and added this file at DNSBL feeds under Source definitions. When I ran the update feed, it took total 5 entries initially which I added. Those sites were blocked.

    But later I added few more sites to the same file, and tried to update. But the recently added websites are not updating the count is still showing as 5 only.

    How these latest entries get updated on the DNSBL Feed?

    Thanks,
    Ram.


  • Moderator

    When you add a URL or a local file, it will update that file as per the Update settings. So if you want to redownload that feed, goto the Log Browser tab, DNSBL and hit the delete icon, followed by a Force Update.

    You can also use the Custom List at the bottom of any DNSBL Group and add domains there, followed by a Force Update.



  • @bbcan177 Thanks for the quick reply. I have changed the update frequency to every one hour and the records got updated.
    When I try to open the website which is in the list, some shows "Page Blocked via DNSBL" where as some shows as "Insecure Connection".
    Especially it is with gmail, hotmail, dropbox websites. Can we consider it as a blocked one or not? When ping to those websites I am getting 10.10.10.1 as a response.

    Thanks,
    Ram.


  • Moderator

    @rkadmin said in How to restrict custom websites with PfBlockerNG-Devel?:

    When I try to open the website which is in the list, some shows "Page Blocked via DNSBL" where as some shows as "Insecure Connection".
    Especially it is with gmail, hotmail, dropbox websites. Can we consider it as a blocked one or not? When ping to those websites I am getting 10.10.10.1 as a response.

    Some sites will not load the DNSBL certificate as it doesn't match the requested domain. So the browser is doing what it should and not load the DNSBL blocked page. To fix that would be a MITM approach which DNSBL does not technically do...

    So if you want to avoid the Certificate errors, you could create a new DNSBL Group and add the domains to the custom list at the bottom. Then disable logging, and set the Order to primary. Then follow that with a Force Reload .... This will nxdomain those domains, and there will be no errors, and no logging of these blocked events.



  • @bbcan177 to be clear,

    "So if you want to avoid the Certificate errors, you could create a new DNSBL Group and add the domains to the custom list at the bottom"

    You're referring to the domains people are visiting that are generating the tagged ads not the ads etc. lists right? Because I used the wizard and took all the default settings and no matter what site my users go to it generates the Certificate error. The sight is still reachable but boy do I hear the bitching about all the cert errors and I've been trying to stop that. Thx in advance for any input and keep up the great work. Excellent package for Pfsense!!


  • Moderator

    @jmiller said in How to restrict custom websites with PfBlockerNG-Devel?:

    You're referring to the domains people are visiting that are generating the tagged ads not the ads etc. lists right? Because I used the wizard and took all the default settings and no matter what site my users go to it generates the Certificate error. The sight is still reachable but boy do I hear the bitching about all the cert errors and I've been trying to stop that. Thx in advance for any input and keep up the great work. Excellent package for Pfsense!!

    Its usually some google domains... but probably just a handful of them at the moment... and yes the domains.