Block incoming URL

  • I have been reading up on using alias to block a URL.  I am not sure this will work in my situation but would like to check.

    We have a number of URLs using the same external IP address.  We then have a proxy server that redirects according to the address.

    We would like to be able to block an external address from accessing just one of these URLs.  From what I have read since the URL resolves to an IP address the result would be that all the URLs would be blocked.  Can someone please verify if this is true.

    Thanks  Gordon.

  • How does pfSense fit into this?  If you have a web server handling several virtual domains, you can block at the web server level via .htaccess or some other mechanism and keep that IP address away.  Barring that method, your proxy server (is it a pfSense box?  You didn't say) may be able to do that for you.

  • I am against url blocking because the ip of that url may change and pfsense would have to do the lookups. This may not seem like a big deal but imagine 50 or so IP addresses that are not resolving but pfsense keeps trying to and it just wastes performance. Sometimes a server might go down and then you get spammed about errors about not being able to resolve the url. If it's just a few urls it's not too bothersome but lets say you have 50 to 100 of them and you use one alias for all of that. It can be difficult to find out which one is not resolving and even if you can see what is not resolving it creates a big mess.

    My favorite method to block websites is opening two pfsense webguis on two different screens. Then I use the ping tool to find out the IP addresses for urls to block and at the same time I can on the other screen have pfblocker custom lists open and just copy and paste. A new url comes up, I just add the ip to that one list or I would just block the entire cidr if I was absolutely positive that it is not needed for anything. By the way, that is the only thing that I feel pfblocker is useful for at this point because it has not been updated for quite some time. Also, when you do create these list I highly recommend doing alias only and just add the alias rule on the floating rules side. This keeps your Lan side free from confusion. The less confusion the better the security in my opinion. Last but not least always back up your work. Writing rules, alias's or what have you may not seem time consuming at first but over time of constantly adding things it can really leave you high and dry without proper backups because anything could happen.

  • Moderator

    I agree with you Cmellons.

    I wrote a script to perform what pfBlocker does (but allows for more formats of Blocklists to be downloaded), and it blocks known malicious IPs.

    What it can't to however, is Block malicious URLs that are on google or amazon etc.. These are legitimate IPs but the URL that take them there are malicious. So having means to block malicious URLs can help in these types of situations. Sites like Phishtank or VirusTotal have tons of Malicious URLS that are pointing to Legit sites.

  • We don't have to worry about the IP address changing since we control that.  This is for incoming connections.  pfSense is not being used as the proxy server.  We are using Varnish.  But we don't want to block the connection at the varnish server we want to block it at the firewall.

    Here is the senario.  We have two dedications one for each of our customers.  They access citrix via these connections using HTTP.  We also have a third connection for our WAN.  We don't want the customers to use the WAN connection for citrix since they already have a dedicated connection.  We also host a number of websites.  The websites including the Citrix connection all use the same external IP but the varnish server redirects according to the web address.
    With the citrix connection we also use it for other clients and employees that we do want to go through the WAN connection.  So we want to be able to block certain IP addresses at the firewall from access certain URLs (citrix).

Log in to reply