Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block inbound requests to specific pages

    Firewalling
    5
    12
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @Translating-IT
      last edited by

      @translating-it

      What about : use a firewall ?

      On the LAN interface : trusted users that can access whatever they want.
      Second LAN2 : a second pass all rule, and a first "block all port "22 80 443" TCP that has a destination of tyhe LAN2 IP, the one pfSense is using. These users can't access pfSense anymore.

      Or, with just one LAN, but block access to pfSense except if the device is your device == your IP.

      I don,'t understand what you managed to do with "pfBlockerNG-devel (pfBlockerNG is far to old).
      snort might help, if the payload is in clear, or non-https. These days are nearly over, and https means : snort can't see the payload anymore, that is : a request for a page.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      johnpozJ T 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Gertjan
        last edited by

        @gertjan said in Block inbound requests to specific pages:

        snort can't see the payload anymore, that is : a request for a page.

        It can if you do it on the lan side and use haproxy to do the ssl offoad.. So to pfsense wan you don't see anything because https, but anything actually going to the server would be in the clear.

        And could be filtered by an IPS.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          Translating-IT @Gertjan
          last edited by

          @gertjan

          I'm not caring about LAN at all. Right now there is absolutely no need to regulate LAN on this setup but it's WAN that must be harnessed. ;) With these 2 packages I managed to reduce bad requests by over 90% without too much finetuning. Only 10 very basic custom rules set up next to default settings. So I guess the better I understand snort syntax the better the threats will get blocked.

          Now, I just need to get more refined custom rules set up in snort to block the remaining trash requests. Most of them get in over port 80 which is then blocked or redirected via url rewrite and redirect rules if it would be an existing url on https.

          So even if pfBlockerNG might be old, it's still quite efficient in combination with snort.

          Br,
          Pascal

          A 1 Reply Last reply Reply Quote 0
          • A
            alexferro32 @Translating-IT
            last edited by

            @translating-it Hi Pascal! Can you send more details about snort+pfBlockerNG configuration? Thanks, Ale

            1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @Translating-IT
              last edited by

              @translating-it You need HA Proxy package for this.
              So i am running a custom application where example.com/admin should not be accessible from the outside. The way its done today is by creating HA Proxy 'AND' rules that disallow this traffic.

              Another way is to have Cloudflare be your DNS. Using their ZeroTrust model you can control who can hit your page when resolving [ by GeoIP for example] the hostname of your application.. I use it for my home lab but for a more business situation, I use HA Proxy.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              T 1 Reply Last reply Reply Quote 0
              • T
                Translating-IT @michmoor
                last edited by

                @michmoor Thanks for that hint. Can I also set up a rule that only traffic to specific (existing urls should go through, everything else would be blocked?

                e.g. allow www.url.lb/impressum, www.url.lb/index
                if anyone tries to access www.url.lb/ag4i they get blocked.

                Where can I find some good tutorials on how to set up such WAN rules?

                Br,
                Pascal

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @Translating-IT
                  last edited by Gertjan

                  @translating-it said in Block inbound requests to specific pages:

                  e.g. allow www.url.lb/impressum, www.url.lb/index
                  if anyone tries to access www.url.lb/ag4i they get blocked.

                  Firewall rules can act upon IP addresses, ports and all kind of IP stuff.
                  Not on (part of) URLs.
                  Even pfBlockerng can't deal with URLs, just host names.
                  That's something dot somethin-else and morehere dot something dot somethin-else etc.

                  This is the DNS part, and thats where pfBlockerng can do something for you.

                  All these :
                  www.url.lb/impressum
                  www.url.lb/index
                  www.url.lb/ag4i

                  The only part that is visible to pfSense is 'url.lb' (and maybe www.url.lb : check the resolver and/or pfblockng DNS query logs), as that happens when the browsers ask : what is the IP of 'url.lb'. And maybe also 'www.url.lb'.
                  From then, on, it's game over.
                  As the browser now uses that IP, opens a TLS connection to that IP, and asks for a page like /index.html or www.url.lb/impressum (www.url.lb/impressum/index.html).

                  Now, there is no need to explain that you, me and no one else can see what happens in that TLS stream.
                  Because, that's what you want : security and privacy ;)

                  If, by any chance, the site is http (only) : blacklist 'url.lb' all together. As Google did, years ago.

                  It would be a good thing if yoiu could proof me wrong on this.

                  For example : https://superuser.com/questions/763987/block-specific-url-paths

                  shows a possible solution : It's starts with : get a proxy ...

                  Another one : https://superuser.com/questions/1413274/how-to-block-specific-url-rather-than-the-entire-domain-on-a-computer-without-so

                  So, pfSense won't help you breaking TLS (https:// ...) 😊

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  T 1 Reply Last reply Reply Quote 0
                  • T
                    Translating-IT @Gertjan
                    last edited by

                    @gertjan well, wasn't that what michmoor said, use HA Proxy? I understood that with HA Proxy you can then do exactly that. That's why I asked @michmoor how it can be done with HA Proxy.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance @Translating-IT
                      last edited by

                      @translating-it There are a few ways to do this - control inbound requests to a url that doesn't exist

                      so if you have example.com/admin

                      1. HA Proxy package with ACLs on your FrontEnd settings. Anyone attempting to hit example.com/admin will receive a 400 message.

                      2. Have your domain in CloudFlare and it is your authoritative name server. Cloudflare has a WAF component where you create firewall rules. See below
                        9c574cd5-6d1c-4d46-b196-e97a306089e9-image.png

                      The block/ban isnt something that HA proxy can do..As far as im aware. There may be a way. You would need to search the HA documentation for that.

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      T 1 Reply Last reply Reply Quote 0
                      • T
                        Translating-IT @michmoor
                        last edited by

                        @michmoor due to security and GDPR reasons ClouldFlare is NOT an option for me. I use my own server at a hoster in Germany and not services like CloudFlare or similar. So only the first option would be interesting, although I have no idea how this could be set up without any example or tutorials.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.