Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Safari in Iphone is bypassing FIrewall rule

    DHCP and DNS
    5
    23
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mozmail @bmeeks
      last edited by

      @bmeeks

      @bmeeks said in Safari in Iphone is bypassing FIrewall rule:

      I guess my ultimate question here would be "why do you want to restrict them to only WhatsApp?" As you are discovering, such specific filtering in today's Internet environment with so many CDNs and Anycast DNS services is becoming very difficult and heading towards impossible as DoH and QUIC become widespread

      n Palo Alto and Cisco devices, it's easy to block traffic on an application-specific basis. I’m trying to achieve the same with a pfSense box. For example, on flights, only messaging apps are allowed, and all other internet traffic is blocked—so this use case and implementation already exist in the market. I’m now looking for a way to implement similar application-based blocking using pfSense. Any suggestions on how to do this?

      I’ve almost managed to get application-based blocking working on the pfSense box

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @mozmail
        last edited by bmeeks

        @mozmail said in Safari in Iphone is bypassing FIrewall rule:

        @bmeeks

        @bmeeks said in Safari in Iphone is bypassing FIrewall rule:

        I guess my ultimate question here would be "why do you want to restrict them to only WhatsApp?" As you are discovering, such specific filtering in today's Internet environment with so many CDNs and Anycast DNS services is becoming very difficult and heading towards impossible as DoH and QUIC become widespread

        n Palo Alto and Cisco devices, it's easy to block traffic on an application-specific basis. I’m trying to achieve the same with a pfSense box. For example, on flights, only messaging apps are allowed, and all other internet traffic is blocked—so this use case and implementation already exist in the market. I’m now looking for a way to implement similar application-based blocking using pfSense. Any suggestions on how to do this?

        I’ve almost managed to get application-based blocking working on the pfSense box

        Those Palo Alto and Cisco devices have specific application detection technology built into them. That's also why they cost a ton of money to own and license 🙂. You pay for the priviledge of using that technology and for the labor and time of Palo Alto and Cisco security analysts to keep up with all the application technology changes and issue regular updates to keep the app detection/filtering working. pfSense does not natively offer application layer filtering, but it's also open source and free -- so there is that advantage.

        You can do this application detection and filtering on a limited basis, providing your are able and willing to write some of your own rules, with the Snort package on pfSense using its AppID feature.

        M 1 Reply Last reply Reply Quote 1
        • M
          mozmail @bmeeks
          last edited by

          @bmeeks I agree, due to budget we are going with PFsense and that's why checking the best to do with it, I got it working for now. with my above rule list and extra, I added to block the traffic to DNS IP 1.1.1.1 for port 853, from what I see Safari is using DNS over TLS port 853, with that blocked safari is blocked

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.