Is it possible to modify pfBlockerNG to pfAllowNG?

hearn.tw

Re: Allow only some websites through pfBlockerng
The design of pfBlockerNG is very good, especially the Wildcard Blocking and python regex list which makes it easier to manage firewall rules .
ADblock syntax. of AdGuard is also very good.
But pfsense Alias dosent have wildcard urls rules .

Although The main feature pfblockerng is to block external connections to pfsense.
So I wondered if Is it possible to modify pfBlockerNG for allowing (pfAllowNG?)
It always takes a lot of time when I want to allow some service for kids in a ALLOW-ONLY environment,
(eg. Gmail, Teams, Zoom,Signal)

Thanks for your advise.

johnpoz

@hearn-tw said in Is it possible to modify pfBlockerNG to pfAllowNG?:

But pfsense Alias dosent have wildcard urls rules .

No "alias" would ever be able to do that.. An alias with a fqdn resolves the fqdn to an IP or even IPs.. Its not possible to resolve anything.domain.tld

It could be almost an infinite number of possible things... host.domain.tld, otherhost.domain.tld, somethingelse.domain.tld or otherthing.subdomain.othersubdomain.domain.tld

How would such an alias ever work? How could the alias lookup every possible combinations of a fqdn that end with domain.tld

Now with say domain lookup, I could say block *.domain.tld from being answered, or return a bogus IP for anything.. Or with say a proxy I could allow you to *.domain.tld because just looking at the domain.tld an saying yeah you could go there, don't care if its www.domain.tld or something.otherthing.whatever.domain.tld - because it ends in the domain.tld

But its not possible to create a wildcard alias..

In a scenario where you either want to block or allow to something.anything.domain.tld you could use dns based filtering, to either allow the client to get the IP or not, or send them a wrong IP, etc. Or you could use a proxy that either allows *.domain.tld or blocks *.domain.tld

But creating a "alias" that does such a thing is not possible.

hearn.tw

@johnpoz
Thanks for your explanation
So Maybe what I want is to create floating rules/alias when domain lookup.
Alias allow me to control individual clients with differenet services

SteveITS

@hearn-tw I have no details, nor time, but it may work to use unbound “views” and forward or resolve only some domains?

johnpoz

@SteveITS the only problem you could run into with views is caches.. Dad looks up adultsite.com and then kid comes along and can resolve adultsite.com because its cached..

I have not really had a need to look into what they have might of done recently - I thought I read somewhere were they were going to use their own caches for views, link bind does..

But I have not had kids in the house that I need to filter in like almost 20 years.. My youngest just turned 35.. Uggh getting old ;)

I wish had some of the tech today when they became teenage boys ;) I use to run sqid proxy back then with filtering.. And showed them look - dad can see everywhere you go, even if its not "blocked"...

if was me and had to do it today, I would prob lock it down on their device directly vs trying to do it at edge.. They have all kinds of parent software these days to really lock down a device, be it a pc or tablet, phone etc..

You should see some of the stuff my 9 year old grandson watches on youtube.. If it was me, I wouldn't allow that sort of stuff. But it is a different age, and I bought him the damn phone ;) hehehe He does a lot of screen sharing with grandma - and you can hear her yelling from the other room - that is not appropriate to be watching or showing your grandma ;) hahahha

SteveITS

@johnpoz Reject all and forward *.example.com from the source IP to CloudFlare family or something? I've only looked at views a bit.

We went with the Microsoft answer and our son is limited to Edge for now, and we can allow by URL.

johnpoz

@SteveITS said in Is it possible to modify pfBlockerNG to pfAllowNG?:

our son is limited to Edge for now

exactly that is the solution I would most likely go with - locking it down at the device..

Dns is a good solution if you want to block everything on the network from going there, but it gets more difficult when you want to limit this IP can got there, but but that IP can not, etc.

And these days with browsers using doh, its just easier to do it at the device.

hearn.tw

Yes, It is easier to do Parent Control on cell phone or tablet now.
the squid proxy solution is also a good idea.
But as you say, education is the most important job to be done.

However, In the company it also helps employees to concentrate on their jogs by only allowing essential services.
It's so easy to get distracted when we're surfing the web.

hearn.tw

@SteveITS said in Is it possible to modify pfBlockerNG to pfAllowNG?:
This is a dirty patch
/usr/local/pkg/pfblockerng/pfb_unbound.py
Let the Python regex list use for AllowOnly
Is there a potential bugs here?

                        # Block via Regex
                        if not isFound and pfb['regexDB']:
                            isRegexMatch = pfb_regex_match(q_name)
                            #print q_name + ' regex: ' + str(isRegexMatch)
                            if not isRegexMatch:
                                isFound = True
                                feed = 'PythonAllow' #isRegexMatch
                                group = 'DNSBL_Regex'