Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PCI Network Filtering

    pfBlockerNG
    2
    2
    325
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      basherstech
      last edited by

      Hi everyone,

      I've been browsing the forum but haven't found a solution that fits my specific needs. I'm in the process of starting a grocery store and have plans to expand to multiple locations within the next five years.

      I'd like to implement PF blocker in the following way:

      1. Apply standard filters to all corporate and data center networks to block inappropriate content (e.g., pornography).
      2. For PCI networks, I'd like a default "block all" setting, with allowances only for explicitly defined sites or services.

      I've managed to get started using IPv4 custom lists, but I'm facing a challenge. I need to allow certain wildcard domains for Windows updates and other patch management requirements. I know that wildcard domain blocking generally falls under DNSBL, but I couldn't figure out how to apply certain lists to specific networks.

      How can I achieve this while maintaining a separate policy for the PCI network?

      Any guidance would be greatly appreciated.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @basherstech
        last edited by

        @basherstech It might be easier to use firewall rules to allow the PCI network access out. That is a separate network or VLAN? Though, you'd have to maintain a list of the Windows Update IPs which could be a challenge. One could find and allow all Microsoft IPs by ASN number in pfBlocker.

        Many, many years ago we did something similar but it was not for PCI so wasn't on a separate network, and was on a Windows Server network. The client just wanted to prevent certain PCs from web surfing. I tried to look it up but don't have that info anymore. I think it had to do with Conditional Forwarding which is a feature on Windows DNS. But, if you set up your own DNS server on the PCI network you might be able to forward only certain domains and not resolve the rest of the world?

        One other thought, there is a "Python Group Policy" feature which is named poorly but it will "bypass DNSBL for the defined LAN IPs." Possibly, use a service like CloudFlare family DNS to block adult content via forwarding, block all domains in DNSBL, and set everything on LAN to bypass DNSBL? So the PCs on LAN would get forwarded to CloudFlare. In other words, block *.com but add microsoft.com to the DNSBL Whitelist section.

        Sorry for the vague answer, maybe it helps.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.