Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Prevent proxy / DNS filter bypass - whitelist domains

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 372 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Salamander
      last edited by

      Hi,

      I need to limit the access of some PCs to the internet in a way that they can only access certain websites. (I think) I can't do it based on IP address since they change rather often and I'd need to whitelist probably half the cloud making the setup rather pointless. With squid I can limit access but afaik you can still bypass the proxy by connecting directly to an IP. The same is true for DNS filters.
      My current setup is a pfsense router running squid and doing DNS over TLS.
      Is there any way to prevent bypassing the filter? Or can pf adjust the rules so that during a dns lookup muh.cloud.com resolves to e.g. 6.6.6.6 which then gets automatically allowed?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        If you are forcing all traffic through Squid/Squidguard you can block IPs in the request directly. There is an option for that.

        Steve

        1 Reply Last reply Reply Quote 0
        • S
          Salamander
          last edited by

          Found it, thx.
          I have a similar problem still. When I go to a website, the site itself might fetch scripts etc from other domains which would need to be whitelisted, too. Doing that manually is a hassle in particular when the external resources are fetched through muh.cloudfront.net while the other day it is meh.cloudfront.net. Can squid whitelist a whole website?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.