Can't Block Website By IP?



  • **For those that run across this thread in the future, the answer lies in this post: (https://forum.pfsense.org/index.php?topic=73561.msg401877#msg401877). It turns out that if squid is enabled, firewall rules are ignored for HTTP traffic.

    In the end, the slightly-hacky-but-still-works solution to the problem is outlined in this post: https://forum.pfsense.org/index.php?topic=73561.msg401895#msg401895**

    Hello, all!

    To start with, my end goal is blocking Facebook at certain times on one of our interfaces.

    I tried going for the whole enchilada to start with (seems easy enough, right?) by creating an alias containing all the IP ranges I could find for Facebook (may end up getting a subscription from I-Blocklists), creating the rule to reject traffic going outbound to that alias from any address (rule located in correct interface).

    Unfortunately this did not work. I have been whittling away different potential points of failure (not having all of the IPs used by Facebook, there being an issue with the way the alias is set up, etc.), and at this point I am trying to block a single website using its straight IP. I KNOW the website I am blocking only has one IP (it's my website, hosted on my VPS), so there's no way it can get around it.

    I've tried it like this:
    IPV4, all protocols, all sources, all ports, website's IP, all ports.
    When I do this, it blocks pings just fine (ICMP packets), but still allows access to the website.

    When I do a packet capture of the host I am testing it on, it sees the packets going to the blocked IP address.

    Attached is the way I've got it set up currently… From what I've read online, the "source" doesn't need to be set for these rules, but I tried it anyway to see if it would work.

    After changing anything, I flush the state table to close all connections that may be open to the server... I also have tried clearing the cache of the browser to make sure it isn't loading the page from cache, and have even disabled the web proxy to make sure it isn't loading from that cache.

    Any suggestions?

    Thanks!
    ElectroPulse
    ![Web Blocking Not Working.png](/public/imported_attachments/1/Web Blocking Not Working.png)
    ![Web Blocking Not Working.png_thumb](/public/imported_attachments/1/Web Blocking Not Working.png_thumb)



  • You are better off making use of alias.  This way you can add multiple IPs to block without messing around with the firewall rule on the interface.

    https://doc.pfsense.org/index.php/Aliases



  • @Darkk:

    You are better off making use of alias.  This way you can add multiple IPs to block without messing around with the firewall rule on the interface.

    https://doc.pfsense.org/index.php/Aliases

    Doesn't sound like you read my OP…

    I said I was going to use an alias, but for testing purposes I reduced it to the one IP for my website, in order to try and isolate the problem.



  • If you use squid, http traffic bypass firewall. You should block sites using squid or squidguard, not by firewall rules.



  • @rubic:

    If you use squid, http traffic bypass firewall. You should block sites using squid or squidguard, not by firewall rules.

    Ah! That's it… Dang, that was frustrating. I hadn't realized that it completely ignored the firewall rules. Turns out when I thought I tried it without the squid service running in the past, it actually was (I stopped the service, but it turns out it restarted itself). I went into the settings to disable it, and now the specified website won't come up, but others will.

    Anyway, unfortunately I would prefer to use firewall rules in this situation... Facebook is the only secure page that we need blocked, and it would be preferable to avoid blocking of secure traffic on this VLAN. In my experience with blocking secure traffic in the computer lab, even with the CA cert installed it throws a lot of certificate errors, and I would like to avoid this with this particular VLAN (not to mention the headache of installing the certificates on every single computer that comes through).

    Is there a way to make it abide by firewall rules as well? I'll look through the squid settings to see if I can find anything... I'll also try this with an exclusively HTTPS website and see if it still circumvents the firewall even though HTTPS filtering is disabled on this VLAN.

    Again, thank you for straightening me out with my misunderstanding of how it works!



  • @rubic:

    If you use squid, http traffic bypass firewall. You should block sites using squid or squidguard, not by firewall rules.

    Sweet! Just got it working! All I needed to do was add the Facebook alias with all the IPs to the "Bypass proxy for these destination IPs" under "Proxy Filter." Now when I create the firewall rule with the Facebook alias, it works! Kinda hacked together, but still works beautifully…

    But yea, thank you for the help! Definitely glad this came up, as now I better understand how Squid works.



  • @rubic:

    If you use squid, http traffic bypass firewall. You should block sites using squid or squidguard, not by firewall rules.

    That's mean pfblocker package is usless when i use squid3 with pfsense


  • Rebel Alliance Developer Netgate

    @finalcut:

    @rubic:

    If you use squid, http traffic bypass firewall. You should block sites using squid or squidguard, not by firewall rules.

    That's mean pfblocker package is usless when i use squid3 with pfsense

    No it just means you need to use aliases to block outbound in floating rules, not on the LAN tab.


Log in to reply