Block all domains except one for a single pc



  • Using pfSense 2.0.2

    Here is the situation:

    I need to block all sites except for this - http://www.govdigital.com.br/ - for a single computer. All the other computers on the network can have full access - no filtering or blocking.

    And I would rather prefer to do this without using any form of proxy as all other computers on the network (it is a hotel with customer access to internet) do not need any kind of blocking… If I added Squid, I would probably need to buy a new computer to be able to run that...

    I have already managed to block all traffic to the computer in question without disrupting traffic to the others. So I am already half way there.

    If I understand things correctly, placing a rule allowing traffic to the site in question above the deny rule should make this work? The big question is how you allow access to a single domain...

    I have searched. I have read. And I have searched again. And read again. And I am not able to figure this out. All the communication I find about this is old.

    What is the status? How do I allow access to a domain (not IP address)?



  • goto firewall–>aliases
    create an alias for the domainname(s). You'd have to include all subdomains manually

    then use the domainname in the block rule for the specified pc


  • LAYER 8 Global Moderator

    The alias just looks up the IP address for you.. So you could do the same thing - just do dns query for your fqdn you want to allow.  Then allow that IP.  Or just use alias as mentioned so that if its IP changes in the future the rule will be updated with the new IP.

    I show the IP for that fqdn (fully qualified domain name) as

    ;; QUESTION SECTION:
    ;www.govdigital.com.br.        IN      A

    ;; ANSWER SECTION:
    www.govdigital.com.br.  3600    IN      CNAME  lb-govdigital-918440786.us-east-1.elb.amazonaws.com.
    lb-govdigital-918440786.us-east-1.elb.amazonaws.com. 60 IN A 184.73.172.109
    lb-govdigital-918440786.us-east-1.elb.amazonaws.com. 60 IN A 54.243.134.83

    Now if you notice that is just a cname to different fqdn, which has a VERY Short ttl of 60 seconds..  So if those IPs change a lot you could run into issues with it working 1 minute, and then not working next minute.



  • @johnpoz:

    The alias just looks up the IP address for you.. So you could do the same thing - just do dns query for your fqdn you want to allow.  Then allow that IP.  Or just use alias as mentioned so that if its IP changes in the future the rule will be updated with the new IP.

    I show the IP for that fqdn (fully qualified domain name) as

    ;; QUESTION SECTION:
    ;www.govdigital.com.br.         IN      A

    ;; ANSWER SECTION:
    www.govdigital.com.br.  3600    IN      CNAME   lb-govdigital-918440786.us-east-1.elb.amazonaws.com.
    lb-govdigital-918440786.us-east-1.elb.amazonaws.com. 60 IN A 184.73.172.109
    lb-govdigital-918440786.us-east-1.elb.amazonaws.com. 60 IN A 54.243.134.83

    Now if you notice that is just a cname to different fqdn, which has a VERY Short ttl of 60 seconds..  So if those IPs change a lot you could run into issues with it working 1 minute, and then not working next minute.

    That's going to be an issue as queries against ELBs return up to 8 IPs at a time and they change frequently.


Log in to reply