Can't get pfBlockerNG to block pornhub.com
-
i do that easily. I have Wildcard Blocking (TLD) enabled.
I create my own blacklist and I put pornhub.com
Reload all and that's it...Blocked.
I do no blocking of DoH or DoT. As long as the clients are pointing to the firewall for DNS you are good. Additional you can use NAT reflection to make sure any DNS query outside of port 53 get redirected to the firewall.The other method would be to grab a Steven Blacklist for Porn and use that but the way I prefer to handle things and the way I have things configured is that I block all porn and I have a custom black list where I add additional sites.
I also have custom Unbound configuration where I select certain /32s or /24s that are exempt from the DNSBL. -
Try blocking it using the ASN.
Create a custom feed under IP->IPv4 use the ASNAS29789
ASN found by pinging pornhub.com and doing an IP lookup on https://iplocation.io/
scroll to the middle'ish of th results to find the AS number.don't forget to assign the alias to a firewall rule.
-
@1of1000quadrillion said in Can't get pfBlockerNG to block pornhub.com:
AS29789
ASN blocking is dangerous. Unless its an ASN wholly owned by the public entity (facebook,google,nextlix) then you are just blackholing lots of sites. Blast radius is way to much with that technique.
-
-
@fullauto I suspect a DNS leak. I've seen this behavior as I didn't lock DNS to my specific server.
If you're using Windows with Edge, Edge actually has a feature that was allowing it to resolve URL's that shouldn't have worked, based on my DNS config. I.e. they resolved fine in command line (no flush needed) but not in Edge.
-
Have you tried regular expressions for the URL?
(Image: Most of my blocks are for learning purposes and for my research with my degree)
I don't like prankdial, hotjar, rubygems, docker, and some other ones that seemed to cause me some issues. I am sure a lot of mine do not need to be blocked, but how can you learn if you don't test stuff out? Here is an example.
I always have had issues with Doubleclick.net they caused me so many issues with devices and human interaction with mouse and keyboards, I found all my items work better with them blocked. Notice ^.URL.com.$ try that.
Also check your Target rules if they are whitelisted it will override items by order like ACLs.
Also enable encrypted DNS
If the DNS is encrypted and using SSL it can't be hijacked, I would cry if they hijacked the update servers.
-
You can see it blocking all the variations of doubleclick.net now, it does not matter what differences are in the URL if the main part is the same it blocks it forever.
-
I have read through this thread but still unclear as to what the resolution would be. I too would like to block sites such as facebook, tik-tok, etc and thought I had it licked by creating a custom list in DNSBL but the sites are not getting blocked. I have squid installed but not running as I had some issues in the past where it locked up the system which I think were related to bad memory which I have resolved. I am new to this and still getting my feet wet so would like to get clarity on how to accomplish this. I am sure this has been talked about quite a bit so if there is a thread or instruction that covers the topic feel free to post the link and I will give it a shot. Thank you.
-
@lpd7 Can you provide details? nslookup results, etc. Are you blocking DoH? If not most browsers will bypass the configured DNS servers. Did you run an update in pfBlocker after changing settings?
-
@steveits said in Can't get pfBlockerNG to block pornhub.com:
@lpd7 Can you provide details? nslookup results, etc. Are you blocking DoH? If not most browsers will bypass the configured DNS servers. Did you run an update in pfBlocker after changing settings?
New to pFS and pFB so bear with me as I track down the info and educate myself as well.
Not sure which nslookup results you want to see so please elaborate, happy to provide.
Yes blocking DoH
and selected all options in the blocking list
I usually run Cron after making changes but ran the Update twice just to make sure.
-
I don't know if this helps, I use Squidguard as it is designed for use with Squid Proxy. Here is some photos of it in action.
I feel this system should be simplified for parents and have scripts created to make this install with ease. You must have static addresses to make this work correctly. So it should have a quick install where you manually connect each device so it can auto populate the static addresses.
After it should create your certificates for you and let you install them.
After it should walk you threw how to set up WPAD this is a must for auto proxy use.
https://docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-wpad.html
Just edit a path to the file and save it. This is needed for use with windows and other devices to find the proxy automatically.
Next you need your websites you want blocked. Example of how it works for me.
(Image: Url Blocker working under Squidguard Table)
(Image: Once package is installed use SquidGuard Proxy Filter)
(Image: What happens when the URL is tested)
(Image: Target Categories)
(Make a Profile and attach the IP addresses of the system you want blocked for adult websites, you must also have a dummy profile for it to work that takes the place of position one)
A nice how to guide I have found to get this system to work.
Configure pfSense as HTTPS \ SSL Proxy filter using Squid and SquidGuard! (n.d.). Retrieved June 2, 2022, from https://forum.it-monkey.net/index.php?topic=23.0
Make sure you let the loopback and local subnets use the proxy
This all works with the HTTP get requests and headers. So no harm done. It is so simple however I worked in IT for over 15 combined years. Yes this needs to be simple for the average Parent and it can be done. There is some great guides for this version, and I for one use it and it blocks what you want blocked. You can even set up timers for no access in the middle of the night.
Do not forget you must set up your access control lists. This is the packet filter that uses ports and IP addresses also.
This is mine.
(image: ACLS)
(image: NAT Port Forwards for DNS and NTP so the firewall handles all requests) -
-
This is a great website it has everything for you and is pretty clear just follow the steps.
Configure pfSense as HTTPS \ SSL Proxy filter using Squid and SquidGuard! (n.d.). Retrieved June 2, 2022, from https://forum.it-monkey.net/index.php?topic=23.0
-
@steveits The ip for the server was the loopback for the pFS box, is this what you should see?
-
@jonathanlee Wow great info, much appreciated for the effort. I am going to look this over and see if I cant get it working. Thanks again.
-
No problem that pfSense configuration website I sent is my favorite.
I tested my firewalls DNS, it will still see that address however, it is blocked on the USER side from accessing it on any browser that is included in the Squidguard blocks USER configured IP addresses to static MAC mappings.
(Image: Firewall Sees the IP address)
(Image: End users can not get to it)Keep in mind this is SSL based if I use a HTTP request I have a custom webpage.
(Image: HTTP site blocked)One more detail you must also block out the IP addresses in the URL to make this fully work this way no one can use dig or use nslookup and grab that IP and plug it in and access the site still. Also block major network atomizers that bypass proxies online.
(Image: IP block for URL access)
-
@lpd7 said in Can't get pfBlockerNG to block pornhub.com:
ip for the server was the loopback for the pFS box
...which means it's working. :) Ensure your PC isn't caching the old DNS...in Windows run "ipconfig /flushdns" to empty the cache, and close your browser.
-
@jonathanlee I have been looking over the instructions both from what you provided and from the link that goes step by step all of which is good stuff.
I attempted to start working on it but pulled back as I dont want to foul up my active box and am waiting for a new case so I can get a second box up and running which is what I will use for this build. The question that I have is about vlans....are they a necessity and if so can I use the LAN interface for that purpose?
My setup is configured with the WAN coming into one port on the FW and the LAN going out another port to a managed switch which connects various APs and other non managed switches and hard wired computers.
The instructions in the link (https://forum.it-monkey.net/index.php?topic=23.0) doesnt seem to mention vlans so just want to verify this can be done without the use of vlans.
I know what vlans are but have no experience with them so am trying to keep a handle on the learning curve, once I master one function then move onto another.
Once I get the other box up and running (hopefully by july 4 weekend) I will use that in isolation with a single pc to test the rules/blocking once it all seems to be working I will do the switch over.
Thank you.
-
@lpd7 If you are using the pfsense as a dns resolver cant you also just set up a host override pointing to 127.0.0.1 ?
That blocks it for sure. -
@michmoor I am using dns resolver but am unfamiliar with the remedy you suggest. Based on what I have seen and been told it appears the resolution is a bit more in depth but I can be wrong as there seems to be many schools of thought on this topic.
So to restate:
I want to control/limit access by local devices/clients to web sites of my choosing. I do not want to have to configure each device individually but rather have the FW do the work. This is particularly important for those web sites whose URLs are encrypted (DoT, DoH).So would the solution proposed by jonathanlee within this thread be the correct path and if so I have a question about vlans.
or
Are the instructions listed at https://forum.it-monkey.net/index.php?topic=23.0 the solution I am seeking.
Appreciate the feedback.