OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: t.mayer on March 09, 2019, 11:36:42 am
-
I have a working opnsense-proxy with shallalist as webfilter.
When I try to open an url from a blocked category, it wont open (as expected).
But when i use the ip of the webserver hosting the url, i can reach the website.
Is there way to block external ip-addresses in urls.
Defining the regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ in Forward Proxy > Blacklist does also block internal ips in urls.
-
- URLs are blocked by web proxy
- IPs are blocked by firewall
Create a firewall alias which loads your blacklist and create a blocking rule using this alias.
-
When then somebody should use a proxy?
Because of the possibility of serveral URLs behind the same IP blocking ips via firewall can not be the preferred solution. I just don't want users to bypass the proxy by typing the corresponding ip-address of an url into the browser.
Moreover I do not see the possibility to load a list like the shallalist into the firewall-alias-section. Cloud you explain how to load a list into the alias-section?
My solution for now are the following settings in Services: Web Proxy: Administration: Forward Proxy: Access Control List
- Whitelist: 172\.16\.[0-9]+\.[0-9]+ (allowing local ips [172.20.0.0/16] in urls)
- Blacklist: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ (denyig all other ips in urls)
-
https://wiki.opnsense.org/manual/how-tos/edrop.html (https://wiki.opnsense.org/manual/how-tos/edrop.html) explains how to load ip block lists in OPNsense.
Most blocklists allow serveral export formats that can be set via parameter (see e.g. https://pgl.yoyo.org/adservers/formats.php#plain (https://pgl.yoyo.org/adservers/formats.php#plain)).