Hello,
I try to filter HTTP / HTTPS traffic "somehow" so that I can allow outgoing access to URLs like this
*.blob.core.windows.net
*.windowsupdate.com
cacerts.digicert.com (without wildcard, but with CDN it changes the IP address all the time)
What is the best way to achieve that? In best case, I don't need to do TLS / SSL interception because I will struggle to get a certificate deployed on every device.
I found a post that recommended to use a proxy instead of plain firewall rules. As I did not find any proxy in OPNsense, I found another post that says that os-squid is in the plugin section now (https://forum.opnsense.org/index.php?msg=189574). But I cannot find os-squid in the plugin section.
Does anyone have ideas how to get that challenge solved without an "any HTTP/ HTTPS" rule?
Best regards
Thorben
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
oh, that looks interesting, thanks!
I guess that could work, if I create a DNS forwarder on all Domain Controllers to OPNsense and run DNSmask there.
Thanks for that quick hint and have a good weekend :-)
Hello,
sorry for the late reply... your suggestion worked perfectly. Really cool. I just had do tweak a few things because my firewall runs on an internal corporate network and my uplink has private IP addresses. Maybe this helps someone in future for a similar setup:
- Disable DNS Rebinding Checks in System -> settings -> administration.
- Services -> Unbound DNS -> Advanced -> Rebind protection networks -> remove internal networks that are on the uplink
Best regards
Thorben
Nice, thanks for the feedback. :)