Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HTTPS by ip notblocked

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Chrismallia
      last edited by

      Hi I am trying to block https sites from firewall  using the sites IP but for some reasom http sites by ip I tried for testing get blocked fine but https by IP still do not block.
      Iam going to the firewall
      1 block
      2 lan
      3tcp/udp
      4 single host/aliases
      ports any
      any help? thanks regards Chris
      by the way I looked up all the sites ip example facebook from dnslookup whois and pin the site so all are saved in a alias I created

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        Many popular HTTPS sites, like Facebook, have tens of thousands of IP addresses that are potentially changing. What IP you see is probably not the same IP someone else will see. When I ping Google, I get a different IP than if my wife pings Google.

        1 Reply Last reply Reply Quote 0
        • C
          Chrismallia
          last edited by

          @Harvy66:

          Many popular HTTPS sites, like Facebook, have tens of thousands of IP addresses that are potentially changing. What IP you see is probably not the same IP someone else will see. When I ping Google, I get a different IP than if my wife pings Google.

          Thank you for your answer that makes a lot of sense. So I do not think right now there is a way to block https sites?  I have set pfsense for a sunday church school and they wanted to block facebook and youtube just at surtin days and times not  the hole time, I was going to use open dns but that will block all the days and time

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Yuu will need to use a helper such as squid/squidGuard, or pgBlockerNG to handle that.  Just trying to block based on manually entering IP addresses can be an exercise in futility.

            1 Reply Last reply Reply Quote 0
            • C
              Chrismallia
              last edited by

              @KOM:

              Yuu will need to use a helper such as squid/squidGuard, or pgBlockerNG to handle that.  Just trying to block based on manually entering IP addresses can be an exercise in futility.

              Hi thank you for your help I have squid3 and squidguard in transparent mode but they do not block https just http,  do you maybe have some steps  on how to do so with squid or pfblocker? thank you again

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Don't run squid in transparent mode.  Run it in explicit mode, block off TCP 80/443 and force everyone through the proxy.  Then you can filter HTTPS.  Search the forums for more details about pfBlockerNG as I don't use that and can't help you with it.  The Cache/Proxy forum is the best place for squid questions, and the IDS/IPS forum for pfBlockerNG.

                1 Reply Last reply Reply Quote 0
                • C
                  Chrismallia
                  last edited by

                  Hi thank you again for all your replies you are a real great help on these forums, just last question if I run squid in explised  mode how will I force devices to go threw the proxy? people here bring there pwn devices so I cant modify there browsers

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    Well, you can try WPAD, or just tell them the proxy address & port and make them use it or else they have no Internet access.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.