Hi,
I am seeking guidance on implementing the following configurations in OPNsense:
Restricting Gmail Send while Allowing Gmail Access
In our LAN setup, I plan to restrict the "Send" functionality for Gmail (SMTP traffic to smtp.gmail.com on port 587), while ensuring Gmail access is still allowed. My approach involves:
Creating an Alias for smtp.gmail.com.
Adding a block rule for the destination port 587, with the Alias set in the destination field.
Could you confirm if this is the correct approach? Additionally, how should I implement the same restriction for a WireGuard Full Tunnel configuration?
Blocking File Uploads on Facebook and LinkedIn Messengers
We want to allow access to Facebook and LinkedIn but block file uploads specifically in their messaging platforms.
Could you guide me on how to achieve this?
Are there specific rules, protocols, or plugins to use in OPNsense for such granular control?
I would greatly appreciate your assistance and recommendations. Thank you for helping me enhance our network's configuration and security!
Looking forward to your valuable insights.
That will not work via a firewall alias for smtp.gmail.com. First, because OpnSense does not have DNS aliases, second, because Google has geo-based IP addresses and what smtp.gmail.com resolves to can change at any time.
What you can do is to block smtp.gmail.com via DNS resolution, say, by having it resolve to 127.0.0.1 locally. On the other hand, if you also send mails to gmail accounts from inside your network, you would need smtp.google.com, but on port 25 and that would not work as well.
As for the other question: No, OpnSense does not offer that. Once you interact with a web site over an encrypted channel, it can basically do anything, because OpnSense cannot look into the traffic. Plus, it has no means to control what HTTP verbs are allowed.
Wouldn't this only work when using a mail client?
If the users can access the gmail website...
Thanks for reverting! Does it mean there is no way to achieve this custom API blocking (For Gmail send | Linkedin Upload) without SSL bumping ? But as we know Squid will be resolved in June almost. and I don't find any other solution for SSL bumping. Until then no other way?
why don't you reach out to the Zenarmor team https://www.zenarmor.com/ maybe they have an option for you.
Thank you for the suggestion, but unfortunately, I cannot afford Zenarmor at the moment. The free plan they offer doesn't provide many features, which is why I am exploring other options for content filtering and MiTM. Additionally, Squid requires at least mid-2025 for my needs, so I'm looking for an alternative that fits better within my current requirements and budget.
Appreciate your understanding!