OPNsense Forum
English Forums => General Discussion => Topic started by: bdario on June 01, 2017, 05:08:30 pm
-
Hello everibody,
another little qustion for you:
OPNsense 17.1.7
I'm traing to block the connection to some web server (facebook, youtube, libero, and so on)
I created an alias for each site and I applied a rule on the LAN interface of the firewall.
All works fine except for www.youtube.com for which the rule doesn't block the traffic.
Any suggestion for me?
Best regards
Dario
-
Well, on 17.7, I tried this alias / rule, and no website worked , despite the rules, it allowed traffic.
example alias is:
social Host(s) www.facebook.com, facebook.com
example rule is:
IPv4 * 192.168.1.199 * social * *
this means that IP 192.168.1.199 is blocked from accessing "social" (the alias), but as mentioned, this does not block traffic.. pinging and browsing works from that IP.
Changing the rule and removing the "social", i.e. target: ANY, then it blocks ALL traffic to that IP, so at least we know the rules basics do work, just not per-website/url...
Any tips welcomed.
Stormy.
-
would it not be easier to block it using DNS?
-
define "simple" :) All these are pretty complex/involved.
I'm just looking for an easy and reliable way to block certain websites from certain PCs on the network, very similar to Parental control if you will. DNS will only block name resolution, what if they know the IP or some embedded website has the IPs of youtube hardcoded.. this rule/alias seems very promising, if it would work :) simple enough, and only impacts that specific host/ip.
-
An alias will probably not work because it resolves an DNS entry which is valid for 300s (5min) which is too short for the firewall. It does not update them often enough (probably once an hour). so you need to block the name instead with a host override (DNS) or transparent proxy rule.
-
1) then why is the alias option even there if it does not work ? maybe put a warning to users ? or specifically saying when they do work?
2) dns blocking will impact ALL machines on that lan? or can one do this per machine/pc? also, dns blocking is really not blocking power users or websites that have the IP directly embedded into the web page.
3) I did read up/looked at the transparent proxy rule, it looks like sea of options there.
Maybe someone can post a simple screenshot of how to block a single URL from a single PC/IP?
i wonder how do dd-wrt/tomato and other consumer grade firmwares make it so simple to enter as many urls and group them, then define which IPs can access , schedules, etc.
Here the requirement is absolutely bare minimum, just block youtube.com from IP1, and facebook.com from IP2,
for example.
I don't expect an overnight answer, but if someone did that already , a screenshot would be appreciated, and once i get that sorted will post to this thread, as it appears others ran into same issue before :)
Stormy.
-
1) then why is the alias option even there if it does not work ? maybe put a warning to users ? or specifically saying when they do work?
It does work. Normal DNS entries have a TTL of 4h. The usual span is between 1h and 1d.
2) dns blocking will impact ALL machines on that lan? or can one do this per machine/pc? also, dns blocking is really not blocking power users or websites that have the IP directly embedded into the web page.
they still have to send the hostname to the proxy server.
3) I did read up/looked at the transparent proxy rule, it looks like sea of options there.
Maybe someone can post a simple screenshot of how to block a single URL from a single PC/IP?
Creating a two squid ACLs (source host, url_regex) by hand, and create a block rule.
i wonder how do dd-wrt/tomato and other consumer grade firmwares make it so simple to enter as many urls and group them, then define which IPs can access , schedules, etc.
Then there will probably a proxy in the background too.
-
Thanks for taking the time Fabian.
Sorry, seems I'm totally uneducated on how this works, but thankfully someone else started this thread so I don't feel so bad :)
1) First you wrote:
"An alias will probably not work because it resolves an DNS entry which is valid for 300s "
then you write it WILL work and say something about TTL 4h, not sure how that plays into things.. I just need traffic to specific websites blocked, I don't care if they can resolve the IP/names.
From TESTING, alias/firewall-rule seems NOT to work as the original poster of this thread is claiming, I've added 2 aliases as follows:
social: facebook.com and www.facebook.com
video: youtube.com and www.youtube.com
then applied as a rule to FIXED IP 192.168.1.199, to BLOCK both these destinations. Left it overnight, and 10hrs later, only one of these blocked, the other was connecting fine..
If I remove the DESTINATION, and leave destination to ALL ("*"), then it blocks the entire PC/IP, which means the rule does work, but just the alias/filter does not.
seems there is unpredictability (maybe b/c the name resolves to MANY IPs) with this method, although it is relatively simple to implement :)
2) In response to the DNS blocking you wrote:
"they still have to send the hostname to the proxy server"
What does that mean?
I don't see how dns blocking is useful, there are plenty of methods to get an IP of a host via any other network, so if I know that youtube.com resolves to a.b.c.d, one never has to send youtube.com, just access the IP directly, a.b.c.d, and it sounds like the dns blocking would NOT block this, OR, does this rule somehow does a reverse lookup (in realtime??) and blocks it if it notices the ip maps to a blocked name?
besides, I'm not sure where/how one would implement a dns blocking rule in opnsense.
3) As for this:
"Creating a two squid ACLs (source host, url_regex) by hand, and create a block rule"
it sounds so simple (to developers) :) Reminds me of this old clip (1min):
https://www.youtube.com/watch?v=8LsxmQV8AXk
how simple "linux" is (it was true 10+ years ago, now it's a lot better), recompile your kernel, once or twice :)
4) I would hope/think that adding creating such a rule to block a *single website* from a *single IP* should take less time than writing any of these messages in this post?
Anyways, I'll post a working example once that is obtained, and if someone does have it pls share.
My fear with adding another "proxy" inside is a) makes things more complex, b) it might break other things like vnc/vpn/ssh and other things connecting to that LAN.. I only want to ever impact 1 or 2 IPs, not entire network, just these 2 PCs (based on hardcoded IP)...
My time horizon is weeks/months, not days or hours to resolve such things, it is not critical but longer term nice to resolve.
Thanks.
Stormy
-
Been following this thread... anything working for you?
-
Sorry, haven't had time to look into this since then. It was surprisingly complex, I'm not sure why a simple list of URLs (with wildcards) cannot be blocked.. maybe someone has a solution. For the moment, I shutdown entire client IP :) :) until a more reliable way is found...