Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limit access to list off site

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 3 Posters 195 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andmattia
      last edited by

      I need to set a machine to go only on a list of very stricted sites.

      I can I set it in DNS? Exists a better approch?

      S M 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @andmattia
        last edited by

        @andmattia If it's a device you can do this on, you could add entries to the "hosts" file on the device, and disable/block all other DNS lookups.

        Unbound has a "view" feature to control access by IP but I have not really used it so cannot help much. I do not know if it can do what you want.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @andmattia
          last edited by

          @andmattia
          One of the weaknesses of pfblocker is that its all or nothing..No granular control.
          So you could create a DNSBL custom feed. Apply it. Then use the Python group to start whitelisting IPs so those IPs wouldn't be impacted by that list.
          Of course, the caveat is that you do not have other lists you are using 'globally' in which case the whitelisting will be applied to them.

          Another less common way and I've used this in the past is using Suricata and custom rules. Suricata can read into the SNI of a TLS stream, you can write a custom rule that says 'drop this IP from going to facebook.com''
          Because this is a, hopefully, one-off request than it will work but this isn't scalable and not recommended for wide scale use.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.