Can't get pfBlockerNG to block pornhub.com
-
@jonathanlee Thank you for that info it makes things a bit clearer and probably simpler to implement. My new case was just delivered so I am going to put together a second box from which to work on this and hopefully with the help from kind souls such as yourself I can get it running as needed. Thanks again and Happy 4th weekend.
-
@johnpoz Didnt realize that I had to own a thread to ask a question to which the thread was related. Maybe I didnt articulate the issue clearly. If a URL is using HTTPS it seems that the system is unable to see the URL because its encrypted and that additional steps are required to get it to see and filter based on a block list. That is a summary of what I have put together based on all of the feedback from various sources, all I am trying to do now is sift through everything and find the correct way to achieve the goal.
-
@lpd7 you can block https urls. Remember all browsers use what are called get requests, proxies use the get requests only to understand when you say that's a block. The data on https when a connection is made that's encrypted and comes after the get request is approved.
-
@lpd7 you can ask a question sure - but quite often users jump into a thread when their problem isn't the same.
Doh in a browser circumvents your local dns - nslookup might show that the system is using your local dns (pfsense).. But the browser isn't if its using doh.
If your device ask for something.domain.tld and you return 127.0.0.1 or 10.10.10.10 is isn't going to get to http or https://something.domain.tld
But if using doh and it gets the public IP 1.2.3.4 for example - unless you block that actual IP, then sure the browser can get there.
-
Make sure you have the latest version of pfBlockerNG installed. It's always good to stay up to date. Now, regarding the issue with blocking pornhub.com, it might be worth double-checking your category settings in Shallalist and UT1 Summary. Ensure that the appropriate categories related to adult content and porn are selected.
-
Let’s put my 5c to this: small child from 7(?)yo able to install some app called “free VPN” and Your pfSense are out of game with this: until You not blocking ALL possible VPN protocols - access to PH are open to it…
After You find abilities to blocking ALL possible VPN protocols, the NewNode protocol are from 1 tap away on child’s smartphone.
And am not sure You have a sufficient skills to block NewNode… (sorry bro!) -
@Sergei_Shablovsky I use proxy based blocking with certificates, the firewall can be set to inspect VPN tunnels also in advanced settings in pfSense or Snort. VPNs are not invincible by any means. Again proxy or dns blocking is not invincible also. Just depends on the amount of time it takes to get around the firewall. I think with the proxy it makes it take longer to get around it. You can make it block the ports that the VPN are using also, the free ones will always use the same ports, control access to that port…
-
@JonathanLee said in Can't get pfBlockerNG to block pornhub.com:
@Sergei_Shablovsky I use proxy based blocking with certificates, the firewall can be set to inspect VPN tunnels also in advanced settings in pfSense or Snort. VPNs are not invincible by any means. Again proxy or dns blocking is not invincible also. Just depends on the amount of time it takes to get around the firewall. I think with the proxy it makes it take longer to get around it. You can make it block the ports that the VPN are using also, the free ones will always use the same ports, control access to that port…
I thinking that would be interesting for You to read https://github.com/clostra/newnode/blob/master/docs/newnode-spec.md
Just try on test iPhone/Android: connect to Your customers lan, install NewNode app, start pcap on an certain interface, and then try to connect to PH.
If pfSense able to block access, - You are win, I’m loose. If not - analyse the dump by WireShark and create additional FW rules…NewNode VPN
https://apps.apple.com/us/app/newnode-vpn/id1473074621NewNode
https://apps.apple.com/us/app/newnode/id1603136752 -
@Sergei_Shablovsky said in Can't get pfBlockerNG to block pornhub.com:
https://github.com/clostra/newnode/blob/master/docs/newnode-spec.md
Thanks for the info, I will have to get a sandbox going to test this, I am doing classes again so I might not have time anytime soon.
-
Hello again, I got some time, I am spinning up a VM to test it.
My CAL 2 class HW done, and checked, and POLS quiz done.
Just waiting for my one approved VM copy to download per my original Apple software license. I get one VM of the software to use onto of the host software.
That software package says it stops host services so I want it in a sandbox/vm to test.
3-4 hrs for my vm to fully spin up I estimate. I am betting on AppID to spot it.
-
@Sergei_Shablovsky I have attempted 2 different installs over Virtualbox Version 7.0.8_BETA4 r156879 (Qt6.3.0) on M1 processor, all crash with the development version. I am going to create an ISO and move it to my Windows 11 system and install the VM there I should be able to test this sometime tomorrow. Sorry I even tried Unbuntu with M1 virtualbox. It acts like the iMac has something using the virtualization hardware.
-
@Sergei_Shablovsky All right I got my VM system spun up. I am going to test this now it is set up with proxy use and blocking is good inside VM
I just have to install the VPN to test it now
Dang they even blocked me from using apple store in the vm
I am going to have to find another way to download it... The virtual machine I want to test this on has download limitations.
Again my proxy works now so I am only one download away from using the VM for its cybersecurity test after I can delete it.
I can not test this on the native os because it has a script that disables all services on the machine if you look at the GitHub. So it has to be in a sandbox environment, however my sandbox does not allow any App Store use. So I need the .dmg file somehow...
So how can I get the APP inside the VM if I can't get to the App Store?
I am working on side loading it now
-
@Sergei_Shablovsky I am going to git hub clone it
My concern is the apple store version could be different.
-
@Sergei_Shablovsky Sorry but....
Netgate WON with the correct ACLs access rules. My firewall already has Newnode's VPN port blocked..
VPN connection is dead on first test Netgate stomped it out.
I got it installed and it started however will not connect because the firewall blocks access to ports it wants. It's not approved with proper Access Control Lists NewNode is not an issue, however this is dependent on someone that can configure a ACL list correctly, many home users do the default so this would work with default settings.
For now it is blocked on my VM test. I am going to spin down and delete this VM
This is a scary VPN it disables the native firewall on osX also...
-
@JonathanLee said in Can't get pfBlockerNG to block pornhub.com:
@Sergei_Shablovsky I am going to git hub clone it
My concern is the apple store version could be different.
I know from developer’s side, that GutHub and iOS/macOS versions are a little bit different.
But not too much.
-
@JonathanLee said in Can't get pfBlockerNG to block pornhub.com:
@Sergei_Shablovsky Sorry but....
Netgate WON with the correct ACLs access rules. My firewall already has Newnode's VPN port blocked..
VPN connection is dead on first test Netgate stomped it out.
I got it installed and it started however will not connect because the firewall blocks access to ports it wants. It's not approved with proper Access Control Lists NewNode is not an issue, however this is dependent on someone that can configure a ACL list correctly, many home users do the default so this would work with default settings.
Is it possible for You to test both NewNode and NewNode VPN on Your iPhone?
-
@Sergei_Shablovsky The only way would be to create a virtualization instance of the iPhone, I can look into it. Can I ask why? Any iPhone can simply turn off WiFi to bypass the firewall.
-
@JonathanLee said in Can't get pfBlockerNG to block pornhub.com:
@Sergei_Shablovsky The only way would be to create a virtualization instance of the iPhone, I can look into it. Can I ask why? Any iPhone can simply turn off WiFi to bypass the firewall.
I try to understand if NewNode in VM has different behavior than NewNode app/VPN in real iOS device.
-
@Sergei_Shablovsky I can't help you with that I can only test with a virtual machine. The risk is too high to test on a live machine, sorry.
-
@JonathanLee said in Can't get pfBlockerNG to block pornhub.com:
@Sergei_Shablovsky Can I ask why? Any iPhone can simply turn off WiFi to bypass the firewall.
For situation where cell signals blocked and only in-house WiFi or wire are an options.