Blocking Sites



  • Hi All
    im after some help with blocking websites.
    ive just installed a new copy of PF Sense at home to replace my currant firewall (IPCop) but im wanting to know how i can stop my children accessing websites like i can with IPCop by blocking them by catorgery and also cut there internet access at set times so they are not on the internet at 3am.
    each device on my network has its own reservation set by PFSense.

    please can you tell me how i can block website to certain devices?

    many thanks.



  • You might want to think about using OpenDNS in conjunction with pfSense.  I have static IPs for my SOHO, so this free solution is  a bit easier for my case.

    To paint a picture, your steps would be something like:

    • register and create an account with OpenDNS.  Configure OpenDNS with kid-friendly/family-friendly settings

    • in pfSense under System/General Setup configure to use OpenDNS dns servers ( I think 208.67.222.222 and 208.67.220.220 )

    • in pfSense enable DNS Forwarding under Services/DNS Forwarder for all interfaces

    • in pfSense Firewall/Rules, make 3 rules in this order, for each LAN : 1) enable port 53 to lan gw (ex: 10.0.0.1), 2) enable parent's computer(s) access to 8.8.4.4 port 53, 3) drop port 53 to all other ips

    This approach allows you to lock down the dns responses on the LAN side of your FW to only OpenDNS approved responses.  In the event that mommy or daddy want to look at something else ( violence, political, <other>) then you can change the DNS setting on the parent's computer to 8.8.4.4 ( Google's dns ).  When finished, change the DNS settings on the parent's computer back to the LAN's gateway address ( what ever it is : 192.168.1.1, 10.0.0.1, … ) and say to yourself : "mischief managed".

    NOTE : If you're public egress ( WAN IP ) is not a static IP, I think there's an option to run an application supplied by OpenDNS to dynamically update your wan ip in their system, so they can respond to DNS queries based on your settings.

    NOTE2 : I wish pfSense had a widget that would integrate with OpenDNS, keep OpenDNS updated with your egress ip, and provide the OpenDNS UI within the pfSense console to make this easier for folks.

    NOTE3 : As a general security practice, I would always recommend a whitelist-approach over a blacklist-approach.  For example, rather than lock down certain sites for your kid's devices, it would be better to lock down then entire network and then open access on an as-needed basis to certain devices.</other>



  • Thanks Tivo

    Is there no inbuild software in PFSense that already allows you to block by category?


Log in to reply