• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Feature Suggestion: Interface Level Domain Block per Interface

Scheduled Pinned Locked Moved Firewalling
4 Posts 2 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    duanes
    last edited by Oct 25, 2012, 3:14 PM Oct 25, 2012, 3:10 PM

    This seems to be a large recurring problem by many users.

    I am running pfSense in transparent NAT + Squid + SquidGuard (with Shalla's List)

    Basically, the problem is that https cannot be trapped by Squid.  The idea is to generate automatically generate a set of IP addresses and rules just like Squid uses, but be able to apply them at the FW level on a per interface basis.

    A simpler method would be to create a type of Alias called IP lookup that periodically grabs/refreshes a list of IP's for the domain or specific machine (regex) listed.  Which solves another problem in that I have a few machines that I need to whitelist by DNS name as they change IP's (on Rare occasions, but it does happen).  Which completely screws up the rules etc and I must manually update 50 whitelist/blacklist IP's for our internal lan.

    Or maybe, just be able to input a regex for blocking based on reverse dns lookup.

    My real goal is to block facebook and youtube via https (except during break/lunch time) but still have the ease of transparent NAT/Squid/Guard to cover most filtering needs.

    I WISH I could support a bounty, but do not have the means to do so.  But, this would be a huge benefit to all !

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Oct 30, 2012, 2:37 PM

      Aliases can already contain hostnames and those do periodically re-resolve but that does not help you at all because some sites return a random set of IPs each time out of a larger pool. You'd never be assured of catching the right values every time.

      Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • D
        duanes
        last edited by Oct 30, 2012, 2:45 PM

        Alias can contain DNS name ?  Hmmm - that would solve one issue, but I was thinking that it would only accept IP'sā€¦. or at least, that is what the field entry says.

        (Update: Awesome - tried it and it works for single IP/dns relationships)

        I could still use the whole DNS and reverse lookup stuff.  An example goal is to block youtube via https but not all https services when using transparent proxy mode.)

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Oct 30, 2012, 3:40 PM

          and that still won't help you at all.

          A site like youtube can return different IPs on each DNS query. It doesn't matter how often you refresh the list the client can still get another IP.

          Your best bet is to see if there is a published list somewhere of all netblocks for a given site. There are lists for Facebook that make blocking it easy with even normal aliases.

          Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received