Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfblockerng pornhub block results

    Scheduled Pinned Locked Moved pfBlockerNG
    4 Posts 3 Posters 41.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • beerguzzleB
      beerguzzle
      last edited by

      I'm setting up a firewall ( Netgate 2100) for a church, so I decided to configure pfblockerng to block porn. I went to DNSBL/DNSBL Groups and added a list there, referencing the StevenBlack porn list, see attached. Everything is working, eg pornhub.com is blocked, but....

      Going to the website gives a vague error from the browser about the cert, and the cert is a self-assigned cert coming from pfblockerng/pfsense. DNS resolves pornhub.com to 10.10.10.1 ie the DNSBL virtual IP.

      What I would like is an actual webpage saying "site blocked by administrator", something like the file /usr/local/www/pfblockerng/www/dnsbl_active.php or a webpage "stop watching porn you perv!". How to do this?!

      StevenBlack_porn.png chrome-pornhub.png porn-cert.png

      Netgate 1100 and Netgate 2100, latest pfsense+ version

      S GertjanG 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @beerguzzle
        last edited by

        @beerguzzle to get the clients to accept a cert for www.pornhub.com you’d need to install a trusted CA cert on each device and then create a cert for that name. IOW it’s not really feasible. An alt option would be to not show a block page and let it fail to connect.

        Also, you’ll probably want to block DoH/DoT on the DNSBL SafeSearch page, and connections to public DNS.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @beerguzzle
          last edited by

          @beerguzzle said in pfblockerng pornhub block results:

          What I would like is an actual webpage saying "site blocked by administrator", something like the file /usr/local/www/pfblockerng/www/dnsbl_active.php or a webpage "stop watching porn you perv!". How to do this?!

          As @SteveITS already mentioned : in short, you can't.

          When a browser wants to visit https:///www.abc.com and it gets an answer back from a site that says, with it's certificate (remember : https = TLS) : I am (https://)www.123.com then the browser starts to shows the message you've just shown.
          If you go to a site https called : https ://www.your-bank.com what would happen if your browser showed you this site : https://www/not-your-back.com (and you were not paying attention the the URL, entered your credentials ... and now some unknown guy has your login.
          So, we agree, you don't want to break TLS (https), and you don't want others to be able to do the same thing. Turn the phrase around : if you can do it, they can do it.
          If "they" can do it, then your issue is solved, as the entire Internet will fall in the hour or so.

          The "dnsbl_active.php" page is nice, but only works well when web servers were using "http", not https. These were the good old days and are over now.
          This page shows the visitor : " now the admin of the network you connected to also knows what site you tried to visit ". Don't bother anymore. Just DNSBL it, and use these settings :

          479f2b7c-faf9-4092-96b8-00e27730f1c9-image.png

          Consider the pfBlockerng web 'blocked page' page showing the user a blocked page as a gadget that worked well in the past, but that's over now.
          You'll still know who did what, as the DNSBL reports logs are there.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 1
          • beerguzzleB
            beerguzzle
            last edited by

            Ok, thanks for a well written explanation. I don't expect to get complaints about "your network is wonky" on this topic.

            Netgate 1100 and Netgate 2100, latest pfsense+ version

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.