OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: hilfubsi on February 08, 2018, 05:02:20 pm

Title: How to implement something similar to pfBlockerNg?
Post by: hilfubsi on February 08, 2018, 05:02:20 pm
I would like to block ads network wide, similar to what pfBlockerNg/PiHole does. I would also like the firewall to block the ad domains, not only for the DNS to resolve them to a dummy IP. This is for the Android YouTube app for example that does its own DNS and for which DNS ad blocking isn't effective.

How would I go about it in OPNsense? There doesn't seem to be a pfBlockerNg plugin available.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: elektroinside on February 08, 2018, 05:41:11 pm
I also would love to see Pi-hole (or something similar to handle lists and maintain a customizable whitelist / ability to whitelist a blocked domain once it's accessed with an easy GUI) integrated somehow into OPNsense.
But.. no Pi-hole on FreeBSD based systems. So I just deployed Pi-hole on another machine... and waiting for the future to bring something new :)

One thing's for sure, as long as there are workarounds, I will not ditch OPNsense.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: fabian on February 08, 2018, 05:43:48 pm
you can do that in the proxy for the best results (docs are available). IPS would work as well.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: elektroinside on February 08, 2018, 05:57:55 pm
Except for the proxy, don't like it :)
I am using IDS/IPS, but also Pi-hole. Not an issue for me :)
Title: Re: How to implement something similar to pfBlockerNg?
Post by: hilfubsi on February 08, 2018, 06:27:08 pm
you can do that in the proxy for the best results (docs are available). IPS would work as well.

It doesn't seem to understand adblock formatted lists though, does it? The UToulouse list is more intended to censor internet access than to block ads.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: fabian on February 08, 2018, 07:14:03 pm
It doesn't seem to understand adblock formatted lists though, does it? The UToulouse list is more intended to censor internet access than to block ads.

There are other lists like https://pgl.yoyo.org/as/ for ad blocking using a hosts file or a proxy. Ad blockers do have a different syntax which allows basically two things:

* cosmetic filtering (hide stuff from the page)
* network filters (URL and content type filters)

Cosmetic filters will probably not work well on a firewall appliance because of false positives and that may break the pages entirely while network filters are possible but the syntax is not compatible (the proxy cannot read the format of the easylist).
Title: Re: How to implement something similar to pfBlockerNg?
Post by: hilfubsi on February 10, 2018, 08:03:04 pm
I can't get this to work :(

I added the yoyo list to ACL and enabled it, but if I curl http://secure.quantserve.com/quant.js, it is not blocked. It's going through the proxy because I see the extra headers in the response.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: xmichielx on March 08, 2018, 10:35:35 am
you can do that in the proxy for the best results (docs are available). IPS would work as well.

Is there an option to do this via DNS?
Proxy only blocks HTTP and HTTPS takes a lot of work to be fixed on all devices and cause extra load on an APU2.
DNS is very to set up and very lightweight and works out of the box for all devices.
There is a reason why the pihole is such a succes not a squid proxy on a raspberry pi ;)
It would be really nice if the WebGUI offers an option to add a list like yoyo to block ads.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: elektroinside on March 08, 2018, 10:48:11 am
It would be awesome if hosts files could be imported (with additional features, like an update scheduler, whitelist + blacklist, and an alerts UI - otherwise it would be difficult to maintain) from the GUI. It would make a phenomenal addition IMO.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: mimugmail on March 08, 2018, 11:02:38 am
you can do that in the proxy for the best results (docs are available). IPS would work as well.

Is there an option to do this via DNS?
Proxy only blocks HTTP and HTTPS takes a lot of work to be fixed on all devices and cause extra load on an APU2.
DNS is very to set up and very lightweight and works out of the box for all devices.
There is a reason why the pihole is such a succes not a squid proxy on a raspberry pi ;)
It would be really nice if the WebGUI offers an option to add a list like yoyo to block ads.

This?
https://devinstechblog.com/block-ads-with-dns-in-opnsense/
Title: Re: How to implement something similar to pfBlockerNg?
Post by: Evil_Sense on March 08, 2018, 11:05:40 am
you can do that in the proxy for the best results (docs are available). IPS would work as well.

Is there an option to do this via DNS?
Proxy only blocks HTTP and HTTPS takes a lot of work to be fixed on all devices and cause extra load on an APU2.
DNS is very to set up and very lightweight and works out of the box for all devices.
There is a reason why the pihole is such a succes not a squid proxy on a raspberry pi ;)
It would be really nice if the WebGUI offers an option to add a list like yoyo to block ads.

This?
https://devinstechblog.com/block-ads-with-dns-in-opnsense/
That's what I use, works flawlessly
Title: Re: How to implement something similar to pfBlockerNg?
Post by: elektroinside on March 08, 2018, 12:07:19 pm
Yes, it works. But this is difficult to maintain, unfortunately, even with the script.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: Evil_Sense on March 08, 2018, 12:19:14 pm
Yes, it works. But this is difficult to maintain, unfortunately, even with the script.
I created a cron action to call the script, at least this can be controlled by webGUI, the include too.

Sure, more controll included in the webGUI would be great.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: elektroinside on March 08, 2018, 12:34:40 pm
Yes, but that's not the difficult part to maintain. It's the editing of the blacklists/whitelists that is difficult to maintain.

Think about the flow. A user hits a blacklisted domain. You have to manually open/edit a few files to whitelist, which means you have to ssh to your box. Then, you have to trigger or wait for the cron job or reload manually. And you have to take care your new whitelist is there after a cron job update (and nothing fails).

Not to mention that you should redirect your users to a webserver to display a nice message if you hit a blacklisted domain. But with this, you should also consider the cosmetic aspects of stuff if a blacklisted domain is hit inside an iframe for example, iframe which is part of a whitelisted domain. And this is just one use case.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: xmichielx on March 12, 2018, 05:26:14 pm
The problem I have with doing things on the shell is that they might get lost after an upgrade.
I know there are a bunch of scripts but I want to make sure that the list and the cronjob are there after an upgrade of OPNsense, hence my request to allow this via unbound/dnsmasq webgui (a simple curl command to a remote location and adding it to an included .conf is the real magic).
A cronjob would also be nice to update the list every day/week etc. :)
Title: Re: How to implement something similar to pfBlockerNg?
Post by: ikkeT on April 02, 2018, 12:24:27 pm
Ansible would be pretty good tool to make sure the files contain the portions and settings you manually maintain. I wonder how much it would overlap with maintaining other settings as well.

Perhaps one day there will be ansible network module for OPNSense so that all settings may be automatized and version controlled. DNS blaclists would be good starting point.
Title: Re: How to implement something similar to pfBlockerNg?
Post by: Evil_Sense on April 02, 2018, 12:57:39 pm
Ansible would be pretty good tool to make sure the files contain the portions and settings you manually maintain. I wonder how much it would overlap with maintaining other settings as well.

Perhaps one day there will be ansible network module for OPNSense so that all settings may be automatized and version controlled. DNS blaclists would be good starting point.
Would be great if there were some ansible modules for opnsense
Title: Re: How to implement something similar to pfBlockerNg?
Post by: franco on April 04, 2018, 08:29:38 am
Not sure if relevant, but we have the ansible package...

https://github.com/opnsense/tools/blob/master/config/18.1/ports.conf#L168


Cheers,
Franco
Title: Re: How to implement something similar to pfBlockerNg?
Post by: fabian on April 04, 2018, 08:43:56 am
@franco I think he wants a module to configure OPNsense.