OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: godfather007 on March 11, 2018, 11:20:55 am

Title: default block all; allow whitelist
Post by: godfather007 on March 11, 2018, 11:20:55 am

Hi,

looking into webproxy to whitelist access to windowsupdate.com etc. for certain IP's.

Tried to allocate "*.*, 0.0.0.0/0.0.0.0"  to the blacklist but it only accepts single entries thus far: "meuk.com".

Is it possible through the GUI or should i create squid ACL lists at shell level?


Thanks

Title: Re: default block all; allow whitelist
Post by: godfather007 on March 12, 2018, 08:52:47 am

For the record,

i would like to block all and allow *.windowsupdates.com etc.

Thanks

Title: Re: default block all; allow whitelist
Post by: jrmagots on August 14, 2018, 02:20:40 pm

I'm looking for an option like these too

Title: Re: default block all; allow whitelist
Post by: nospam on September 13, 2018, 02:28:58 pm

Why not just create a firewall rule allowing only LAN net to LAN net and LAN net to your desired WAN IP ranges?

Title: Re: default block all; allow whitelist
Post by: tomclewes on November 14, 2020, 06:28:53 pm

I'm also looking for an answer to this and can't find one.

Title: Re: default block all; allow whitelist
Post by: Amr on November 16, 2020, 01:30:24 pm

For the "block all" of the question you have three approaches:

1-From the GUI, Go to access control list and add all the TLD you can think of in the blacklist  EX: .com, .net ...etc
you can also add The following Regex expression to block all TLDs :  .[a-zA-Z]+
2-Add "http_access deny all" line in "/usr/local/etc/squid/squid.conf" file after "http_access deny blacklist" (Changes in squid.conf gets overwritten after updates)
3-Write a custom squid acl and put it in pre-auth.


You can reference these posts to see how to use custom ACL :
https://forum.opnsense.org/index.php?topic=16171.msg73968#msg73968 (https://forum.opnsense.org/index.php?topic=16171.msg73968#msg73968)
https://forum.opnsense.org/index.php?topic=6516.0 (https://forum.opnsense.org/index.php?topic=6516.0)

Quote

Why not just create a firewall rule allowing only LAN net to LAN net and LAN net to your desired WAN IP ranges?

nospam got a point, fetching windows updates through the proxy is problametic , Creating firewall rules would be easier , and if possible consider a WSUS if you want to save bandwidth.

Title: Re: default block all; allow whitelist
Post by: juliocbc on November 21, 2020, 02:52:22 pm

Hello!

Not official plugin (based on squidguard) that can help you with that:

https://wiki.cloudfence.com.br/english/managing-rules (https://wiki.cloudfence.com.br/english/managing-rules) (Take a look in the Rule Action).

Hope it helps!

Title: Re: default block all; allow whitelist
Post by: ml35 on March 13, 2024, 03:05:15 pm

Quote from: godfather007 on March 11, 2018, 11:20:55 am

Tried to allocate "*.*, 0.0.0.0/0.0.0.0"  to the blacklist but it only accepts single entries thus far: "meuk.com".
Is it possible through the GUI or should i create squid ACL lists at shell level?

This what worked for me in GUI. Came here from web search results looking to do the same (blacklist everything except some):

Put the list of allowed domains into the Whitelist field. If there are multiple, type each one then press enter. Use regex if you need.
Put dot followed by asterisk sign in the Blacklist field then press Enter. It should look like this:

Code: [Select]

.*
The above regex will match everything. in squid conf the whitelist is configured to first allow then the blacklist comes, so you don't need to manually edit the squid conf file.