Blocking everything except...
-
I got a tip that pfBlockerNG was the right tool for this, so I come here to ask about a specific situation I have with a client.
They need to block everything except a few domains.
So they basically would like to have some whitelisted domains, and the problem of course is that some of these may use a CDN or otherwise use multiple IP addresses.
What is the best way of getting this done? Rules, setups etc.
This block has to happen for all traffic from a specific VLAN. Other VLAN's should not be affected.
I know there are no prefect solution. But this is surprisingly often a question that comes up.
In this case, it is a place for editing film and TV. Their editing systems should not have access to internet at all, except for a few sites they need to update software and access user manuals.
-
This is such a common question that had you search the forum you would have multiple answers. In your case, all you need to do to block all traffic to that specific VLAN is a firewall block rule. I would even go further by creating an alias of that VLAN then use two floating firewall rules with the quick set enabled, then set direction to in for the first as well as direction out for the second...you won't need to whitelist in pfBlockerNG.
-
@NollipfSense Thank you very much.
How would you go about to open for those domains that they need acess to?
Regards,
Oceanwatcher
2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover -
@Oceanwatcher If you are using the pFBlocker-devel program, you can Whitelist the domains that you do not want blocked.
-
@Oceanwatcher said in Blocking everything except...:
@NollipfSense Thank you very much.
How would you go about to open for those domains that they need acess to?
So, are you saying that the VLAN needs to have access to a few sites? If so, what I described above wouldn't work as it blocks all. However, as jdeloach said, you can add those sites to whitelist.
-
@NollipfSense And that is exactly why your first answer did not make any sense at all. It is a good practice to read the whole post before answering.
You even went so far as to voice your opinion in a different sub-forum here based on your completely wrong understanding of the subject.
I appreciate the willingness to answer, though! -
@jdeloach Sounds exactly what is needed! Thank you!
