Good day,
Ver. 26.1-2, using a couple of custom anti-spam blocklists including one for FQDN.
What I want to do is block all traffic coming from any domain ending in *.outbound.protection.outlook.com (wildcard shown as an example). Unfortunately, I can't find a way to apply a wildcard as shown.
Is there a way to do this which doesn't require a Masters in network engineering?
Suggestions welcome. Thanks much!
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
Please note that this works but the first access to an IP address might work (once) when dnsmasq updates the table of the firewall.
Once it has been learned its blocked.
Your question shows that you need to learn a lots about how things work:
Your wish is understandable, but this is not how things work (tm). First, domain names and "traffic" (presumably denoting traffic from specific IPs) are different concepts.
Imagine this: A DNS name like "www.xyz.de" can resolve to a whole set of IPs, some of which may also be used to host other websites, say "www.abc.de". While there is a way of resolving IPs to a DNS name, this a. not guaranteed and b. resolves to only one (i.e. either www.xyz.de or www.abc.de or often, not even one of them.
A real-world example would be a cloud hoster who hosts hundreds of websites on one server. Thus, you may end up in www.xyz.de -> 192.168.1.1 and www.abc.de -> 192.168.1.1 (among others), but when you actually look at 192.168.1.1, you may find "server.cloudhoster.de".
Now, when your firewall inspects an IP packet from 192.168.1.1, how should it determine if this packet should get blocked, because you want to block www.xyz.de? All it knows is that this IP resolves to server.cloudhoster.de. And "*.xyz.de" is even worse than just "www.xyz.de", because it denotes all subdomains of xyz.de, which you can cannot even iterate on - you must ask for any specific name in that zone, because *.xyz.de itself resolves to no IP at all.
That is why what Cedrik says does not work for you: You can block those IPs that a specific name www.xyz.de resolves to, but that will not cut it for *.xyz.de.
So much for that misconception: It is impossible on the "traffic coming from any domain".
If you put your question differently, you may end up with a different result. For example, you can use a DNS block list that can be used to prevent the DNS resolving of specific domains.
Whenever a client on your network tries to access a blocked DNS domain, it first must resolved the DNS name to an IP - and it gets none, thus preventing access, from, say, a browser on that client, effectively blocking access from your LAN to that domain (but not the other way araound).
So, there you have it:
- There is bad domain names that you do not want your LAN clients to have access to - block them via DNS block lists. That only covers outbound access!
- There are bad IPs (not neccessarily related to domains) which you can block incoming by other means, such as Firehol, AbuseIPDB, Blocklist.de or via the QFeeds plugin. You can even block specific GeoIP ranges or ASNs. Look up what those are, it is all in the documentation.
That being said: If you really want to use a pro tool like OpnSense, you will need to learn the concepts behind it. Otherwise, you will end up taking risks you do not understand. This may all sound condescending, but it is just a fair warning.