Blocking all sites, except one or two sites with firewall rules ONLY
-
Hi all
I know this may have been asked many times, both for the purpose and the reasons, but bear with me and please help me find out this rules.
What I am trying to do is to block all internet access for all users on all ports, except for two conditions:
1. Certain ports like email, secure mail ports, etc are OK to access.
2. Certain web sites like www.google.com, www.mycompanysite.com are ok. But other sites are not allowed.So, this is what I did:
a. I set up two aliases, one for allowed ports and one for allowed IPs and URLs (google.com, teamviewer.com, etc)
b. I set a firewall rule that if the source is * and target is not <allowed urls="">then reject.
c. I add another rule that if the source is * and target is any with ports listed in the <allowed ports="">then pass the packets.For some reasons, I cannot access google.com and teamviewer.com even if I set the FQDN such as www.google.com and www.teamviewer.com
It seems all websites are blocked.But some sites are allowed to pass, the ones with specific IP (IP based URLs). If I want to block a certain URLs then using this method will work. But to bypass some domain, it did not work.
Please check attached pictures and I really do not want to use squid if possible to make my firewall as light as possible.
All helps are appreciated. Thank you.
![Allowed Alias.png](/public/imported_attachments/1/Allowed Alias.png)
![Allowed Alias.png_thumb](/public/imported_attachments/1/Allowed Alias.png_thumb)</allowed></allowed> -
My one thought is you need to allow DNS through. This will allow you to resolve valid sites.
-
My one thought is you need to allow DNS through. This will allow you to resolve valid sites.
I tried to pass all possible dns servers listed in my pfsense. Still no use. Input them in the allowed ip alias and pass hem in the firewall rules.
-
I don't read it that way.
First rule allow DNS.
Second rule allow sites.
Third rule allow ports.
Fourth rule block all. -
I don't read it that way.
First rule allow DNS.
Second rule allow sites.
Third rule allow ports.
Fourth rule block all.Can I put the first and second rule as one alias (allowed sites)? I use any protocol and any ports. And I did that and even add more.
First rule: Allow DNS IPs
Second rule: Allow sites
Third Rule: Allow Ports
Forth Rule: Block allSome sites with specific ip specified in the allow sites alias works. But sites with many IP possibilities and FQDN still cannot be called. For example: google.com
When I call google, it will be rejected.
Anyone can help??
-
Anyone at all can help me?