Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Blocking all sites, except one or two sites with firewall rules ONLY

    Firewalling
    2
    6
    2093
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cinlung last edited by

      Hi all

      I know this may have been asked many times, both for the purpose and the reasons, but bear with me and please help me find out this rules.

      What I am trying to do is to block all internet access for all users on all ports, except for two conditions:
      1. Certain ports like email, secure mail ports, etc are OK to access.
      2. Certain web sites like www.google.com, www.mycompanysite.com are ok. But other sites are not allowed.

      So, this is what I did:
      a. I set up two aliases, one for allowed ports and one for allowed IPs and URLs (google.com, teamviewer.com, etc)
      b. I set a firewall rule that if the source is * and target is not <allowed urls="">then reject.
      c. I add another rule that if the source is * and target is any with ports listed in the <allowed ports="">then pass the packets.

      For some reasons, I cannot access google.com and teamviewer.com even if I set the FQDN such as www.google.com and www.teamviewer.com
      It seems all websites are blocked.

      But some sites are allowed to pass, the ones with specific IP (IP based URLs). If I want to block a certain URLs then using this method will work. But to bypass some domain, it did not work.

      Please check attached pictures and I really do not want to use squid if possible to make my firewall as light as possible.

      All helps are appreciated. Thank you.



      ![Allowed Alias.png](/public/imported_attachments/1/Allowed Alias.png)
      ![Allowed Alias.png_thumb](/public/imported_attachments/1/Allowed Alias.png_thumb)</allowed></allowed>

      1 Reply Last reply Reply Quote 0
      • C
        coxhaus last edited by

        My one thought is you need to allow DNS through.  This will allow you to resolve valid sites.

        1 Reply Last reply Reply Quote 0
        • C
          cinlung last edited by

          @coxhaus:

          My one thought is you need to allow DNS through.  This will allow you to resolve valid sites.

          I tried to pass all possible dns servers listed in my pfsense. Still no use. Input them in the  allowed ip alias and pass hem in the firewall rules.

          1 Reply Last reply Reply Quote 0
          • C
            coxhaus last edited by

            I don't read it that way.

            First rule allow DNS.
            Second rule allow sites.
            Third rule allow ports.
            Fourth rule block all.

            1 Reply Last reply Reply Quote 0
            • C
              cinlung last edited by

              @coxhaus:

              I don't read it that way.

              First rule allow DNS.
              Second rule allow sites.
              Third rule allow ports.
              Fourth rule block all.

              Can I put the first and second rule as one alias (allowed sites)? I use any protocol and any ports. And I did that and even add more.

              First rule: Allow DNS IPs
              Second rule: Allow sites
              Third Rule: Allow Ports
              Forth Rule: Block all

              Some sites with specific ip specified in the allow sites alias works. But sites with many IP possibilities and FQDN still cannot be called. For example: google.com

              When I call google, it will be rejected.

              Anyone can help??

              1 Reply Last reply Reply Quote 0
              • C
                cinlung last edited by

                Anyone at all can help me?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense Plus
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy