Is pfBlockerNG able to block all outbound traffic except whitelistet sites?



  • I would like to block all outbound traffic except for a few whitelisted destinations (e.g. Windows updates) for security reasons. Whitelisting must be on domain name basis, not on IP-number basis, so that I cannot use IP rules for that.
    Even though pfBlockerNG was not made for that purpose (but for blacklisting malware/adware sites), I suspect that it might be able to do, what I need.

    So my questions:
    Is pfBlockerNG able to block all outbound traffic with the exception of a few whitelisted domain names?
    Will it be possible to install pfBlockerNG on an Netgate SG1100 or do I need a more powerful machine?



  • @RolandW Remember, a quick search would reveal the answer, since each week at least one person asked and received; also, the firewall already blocks all except what you allow...



  • Dear NollipfSense,

    thanks for the answer!
    unfortunately I was not able to find the answer to my questions even after performing an extended search, that's why I asked here.

    Your write, that the firewall blocks all except what I allow. By default, it's the other way round: outbound traffic is allowed unless denied. I know, that I can change that easily by creating a rule in pfSense. The point is, that whitelisting on pfSense level is possible only for IP-adresses. When whitelisting to allow Windows updates for example, I have to whitelist domain names ("windowsupdate.microsoft.com"), that are represented by hundreds of IP adresses. So whitelisting in pfSense itself is not helpful.

    That's why I thought, I could perform whitelisting on pfBlockerNG level, that has an option for whitelisting domain names.

    However, the question is, how pfSense and pfBlockerNG interact:

    1. does whitelisting in pfBlockerNG affect only those sites, that are blocked in pfBlockerNG?

    or

    1. can I allow outbound traffic to sites by whitelisting them in pfBlockerNG, even if outbound traffic is generally denied on pfSense level?

    or

    1. is it possible to deny all outbound traffic in pfBlockerNG and whitelist the domains needed?

    For a experienced user of pfSense and pfBlocker NG it might sound supid what I'm asking, however I was not able to find an answer to my question regarding the "interaction" of pfSense and pfBlockerNG. I would be very grateful, if you could give me a hint by answering my three questions ;-)


  • LAYER 8 Moderator

    @RolandW said in Is pfBlockerNG able to block all outbound traffic except whitelistet sites?:

    does whitelisting in pfBlockerNG affect only those sites, that are blocked in pfBlockerNG?

    Actually that depends on what whitelisting you are talking about as pfBlocker has two things it can block. DNS Blacklists and via IP Feeds/Lists. DNS Blacklisting interacts with Unbound (the default DNS Resolver) whereas IP Feeds can auto-create rules (or aliases to be used in rules).

    So it depends what exactly you are asking.



  • Dear JeGr,
    what I want to do is basically simple: block all outbound traffic except for a few whitelisted domains.

    It's probably not possible to block all traffic using DNS blacklists with wildcards, neither it seems feasible to create IP feeds (that, as I understand, become aliases in pfSense rules), that block everything (1.1.1.1/0 ???), because they would probably be too long. Therefore, if whitelisting in pfBlockerNG is only meant for making exceptions to DNS blacklists, I probably cannot use pfBlockerNG for what I want to do.

    Have you got another idea what I could do?

    Roland


Log in to reply