OPNsense Forum

English Forums => General Discussion => Topic started by: hedberg on August 07, 2016, 07:50:30 pm

Title: Extending the whitelisting in proxy
Post by: hedberg on August 07, 2016, 07:50:30 pm

Have you considered making the proxy's blacklist function more flexible, so one could "turn it on it's head" and forbid everything except categories that was checked/allowed - a whitelist.

EDIT: A shame that the whitetrash project (http://whitetrash.sourceforge.net) is abandoned. Looks interesting.

Title: Re: Extending the whitelisting in proxy
Post by: franco on August 08, 2016, 08:04:13 am

Hi hedberg,

Certainly something that could be done, but I have no ETA for the time being. We're collecting ideas for the 17.1 roadmap at the moment and will take a bit of time to decide on a viable bundle.

One caveat: I remember that whitelisting is tricky to get right with e.g. ad sites being required to load other web pages at all. It may take more administrative effort than simple category on/off to get it just right.


Cheers,
Franco

Title: Re: Extending the whitelisting in proxy
Post by: hedberg on August 09, 2016, 10:40:32 pm

I used it a lot before changing to OPNsense. As a minimum I always used it for all my isolated zones where eg. a server only had reason to talt a a limited amount of domains for e.g. updates and no other reason to initiate traffic to the internet.

I always try to lock things down as much as possible and prefer whitelists to blacklists. Thanks for not dismissing it - I am crossing my fingers :)

Title: Re: Extending the whitelisting in proxy
Post by: fabian on August 10, 2016, 11:18:59 am

In this case you can use an host alias and firewall rules instead of the proxy.

Title: Re: Extending the whitelisting in proxy
Post by: hedberg on August 10, 2016, 10:50:42 pm

It is a good suggestion, but to my undestanding it wont work.

I often find that I need to specify wildcards to the domain name and this function need to know the fully qualified domain name.

One example is windows updates. Ín order to get either that or WSUS to work you need to provide access to something like *.update.microsoft.com plus a couple of other domains because the host name is changed constantly.

Title: Re: Extending the whitelisting in proxy
Post by: Feldunost on December 02, 2016, 05:28:45 pm

I am actually looking for this solution as well since i want:

- To block everything for some computers and only allows updates links in whitelist.
- To block everything and only allows a bigger whitelisted links added manually.
- Allows everything for specific IPs.

Which means having several whitelists and being able to block everything for specific computers / servers.

Dunno if it's actually possible ... ?


Edit:
I tried to add "*.*" and "*" on the blacklist whitout effect.
I wish to block everything and only accept whitelisted domains or links.

Title: Re: Extending the whitelisting in proxy
Post by: Feldunost on December 20, 2016, 10:52:56 am

Hello,

Found out, it seems working with the following value: ^.
This should block every addresses and domains unless you allowed specifically the domain or ip access in "unrestricted ip addresses" or in "whitelist".

Thanks.

Title: Re: Extending the whitelisting in proxy
Post by: Feldunost on January 03, 2017, 11:26:07 am

Updated previous post with possible solution, could be marked as solved i think.