OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: GAM_1 on July 09, 2023, 01:26:28 pm

Title: Whitelist 6 Domains
Post by: GAM_1 on July 09, 2023, 01:26:28 pm

I want to block all internet access except 6 specific websites. What is the best way to do this with Opnsense? I've read the documentation on "Setup Web Filtering" and "zenarmor" but these seem to be a little overkill for my simple whitelist. It would be nice to apply this to specific VLANs but that would not be strictly required.

Title: Re: Whitelist 6 Domains
Post by: RamSense on July 09, 2023, 01:32:12 pm

never tried myself, but I would say:
- make an alias for the website (url/ip) for the allowed websites
make a firewall allow rule for this alias port 80 and 443
make another firewall rule below the above with block all port 80 and 443

Title: Re: Whitelist 6 Domains
Post by: Patrick M. Hausen on July 09, 2023, 01:33:46 pm

I'd use DNS block and whitelists. Cannot produce the details from the top of my head, but I'd look into either Unbound blocklists or the AdGuard Home plugin.

Title: Re: Whitelist 6 Domains
Post by: CJ on July 09, 2023, 08:29:51 pm

Adguard is way overkill for this IMO.  Just enable DNSBL, don't select any lists, and add the 6 websites to the whitelist.

Title: Re: Whitelist 6 Domains
Post by: GAM_1 on July 09, 2023, 11:22:47 pm

Quote from: RamSense on July 09, 2023, 01:32:12 pm

never tried myself, but I would say:
- make an alias for the website (url/ip) for the allowed websites
make a firewall allow rule for this alias port 80 and 443
make another firewall rule below the above with block all port 80 and 443

Anyone know if this way works? And can you give more details? Such as would I make these rules under my LAN or WAN? Also I only have 1 LAN and no VLANs ,yet,. I do not want to block myself out of the opnsense web UI... Do I need to add another rule for that?

Title: Re: Whitelist 6 Domains
Post by: Amr on July 11, 2023, 03:31:15 pm

Quote

Anyone know if this way works?

it would work if the whitelisted website doesn't change IPs frequently (big providers like google do, for load balancing), if it does be ready to experience breakage.
- I would go the DNS route if you are okay with the fact that users (malicious or not) can subvert the access control (by using VPN/Tor or any other method) you can pair this method with IPS(intrusion prevention system) that subscribe to a VPN block list or something, plus periodically reviewing logs and adding firewall rules that allow users http(s) only.
-else you need to deploy an MITM (transparent proxy) but that's a PITA to configure, good luck.

Title: Re: Whitelist 6 Domains
Post by: ssonic on September 07, 2023, 11:08:44 pm

You can achieve that with "web proxy" config. Enable http and ssl intercept, sni induction only, add websites and allowed hosts or networks to proxy access list, configure your 6 websites in the proxy acl, configure port forwarding from 80 and 443 to whether corresponding ports you have in your proxy config (3218 and 3129 by default) and add this to proxy blacklist :
.[a-zA-Z]+