Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    allowing only some websites

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 2 Posters 694 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      c00kie55
      last edited by

      this sounds easy but it turns out not to be. (teamviewer was easy)

      my goal is to allow
      soundly getsoundly.com (runs on google infrastructure)
      spotify
      slack
      Dropbox
      and mac update

      an exemple is if i ad www.getsoundly.com as an alias it takes like 5 min to load the site.

      i have looked at the list https://gist.github.com/n0531m/f3714f6ad6ef738a3b0a
      with google IPs but its huge and i am afraid of adding /16 nets as aliases.

      is there any god way of doing this

      H 1 Reply Last reply Reply Quote 0
      • H
        hieroglyph @c00kie55
        last edited by

        @c00kie55 It is not recommended to use an alias to resolve any website that has a large selection of IP addresses that will appear to randomly resolve a list IPs. See this link.

        With that said, trying to resolve websites to their IPs and then blocking them is an uphill battle. As your link shows; the pool of IP addresses changes frequently. And what pfsense resolves in an alias now may not be the IP address resolved by DNS and handed to devices on LAN to use 5 minutes from now.

        Likely your best is to only allow DNS queries for getsoundly.com, spotify.com, dropbox.com, etc... to be resolved. To do this pfsense would need to become the DNS resolve for your LAN networks. But I am not 100% sure how to set up the DNS Server (DNSMasq) or DNS Resolver (Unbound) to only resolve the FQDNs shown above. It will require some Googling to learn if it is possible.

        1 Reply Last reply Reply Quote 1
        • C
          c00kie55
          last edited by

          @hieroglyph i am using dnsresolver on all / all now
          i would love to have resolve the FQDNs but dont realy know what to search for.

          on lan2 interface:
          i have a DNS port 53 allow any rule and the website aliases as allow any
          then a deny any for the ip of a test host that should be enough right?

          H 1 Reply Last reply Reply Quote 0
          • H
            hieroglyph @c00kie55
            last edited by hieroglyph

            @c00kie55 You will want to search for how to make the dns resolver (unbound) only resolve specific FQDNs and not resolve anything else.

            If you want the dns resolver built into pfsense to handle only allowing websites you have specified then pfsense will also need to redirect all traffic destined for an external address and port 53 back to itself to handle the dns request. As I mentioned above, yes theoretically making a firewall rule to allow traffic destined for specific IP addresses. Followed by a firewall rule denying traffic destined for all other IP addresses will work. BUT, when an alias is resolved it has limitations to how many IP addresses it will store. Not to mention getsoundly.com for example; will not always resolve to the same IP addresses.

            Using the dns resolver to only resolve specific FQDNs is the more consistent way to do this. But can also be easily bypassed if an IP address to a not allowed website is typed directly into the web browser. This method would only require an allow all firewall rule for external traffic.

            If this alias method is something that must be done, then do not put getsoundly.com into the alias. Instead put all of the IP addresses getsoundly.com resolves to in the alias. Then periodically manually resolving getsoundly.com will show which new IPs should be added to the alias. Depending on the fqdn this could be a couple IPs or thousands of IPs.

            C 1 Reply Last reply Reply Quote 0
            • C
              c00kie55 @hieroglyph
              last edited by

              @hieroglyph soundly seams to be working for now with alias.
              i have pretty much given up on spotify, it connects (slow) but only some tracks can play and not all cover art is updated also whats the point af allowing all google IPs.

              as more web services starts to live behind things like google cloud, amazon and the likes. a better way af doing this is needed.

              H 1 Reply Last reply Reply Quote 0
              • H
                hieroglyph @c00kie55
                last edited by

                @c00kie55 If you want this much control you may want to look into Squid on pfsense. Another option is the Untangle firewall and their filtering aps. As with all things there are pros and cons to untangle just as there are pros and cons to pfsense.

                C 1 Reply Last reply Reply Quote 0
                • C
                  c00kie55 @hieroglyph
                  last edited by

                  @hieroglyph so can Squid do this: lan01 is normal lan02 deny all, allow some domains with multiple IPs also do this without making everything else slow.

                  i like pfsense and its only 1 network i need to make more secure.

                  H 1 Reply Last reply Reply Quote 0
                  • H
                    hieroglyph @c00kie55
                    last edited by

                    @c00kie55 I do not use squid. Nor am I familiar enough with squid to give you a definite answer. But quick google search of allow only specific websites with squid seems to indicate it is possible.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.