Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Do not allow IP-Addresses in URL
« previous
next »
Print
Pages: [
1
]
Author
Topic: Do not allow IP-Addresses in URL (Read 4536 times)
t.mayer
Newbie
Posts: 16
Karma: 0
Do not allow IP-Addresses in URL
«
on:
March 09, 2019, 11:36:42 am »
I have a working opnsense-proxy with shallalist as webfilter.
When I try to open an url from a blocked category, it wont open (as expected).
But when i use the ip of the webserver hosting the url, i can reach the website.
Is there way to block
external
ip-addresses in urls.
Defining the regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ in Forward Proxy > Blacklist does also block internal ips in urls.
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Do not allow IP-Addresses in URL
«
Reply #1 on:
March 18, 2019, 02:39:45 pm »
URLs are blocked by web proxy
IPs are blocked by firewall
Create a firewall alias which loads your blacklist and create a blocking rule using this alias.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
t.mayer
Newbie
Posts: 16
Karma: 0
Re: Do not allow IP-Addresses in URL
«
Reply #2 on:
March 18, 2019, 03:04:18 pm »
When then somebody should use a proxy?
Because of the possibility of serveral URLs behind the same IP blocking ips via firewall can not be the preferred solution. I just don't want users to bypass the proxy by typing the corresponding ip-address of an url into the browser.
Moreover I do not see the possibility to load a list like the shallalist into the firewall-alias-section. Cloud you explain how to load a list into the alias-section?
My solution for now are the following settings in Services: Web Proxy: Administration: Forward Proxy: Access Control List
Whitelist: 172\.16\.[0-9]+\.[0-9]+ (allowing local ips [172.20.0.0/16] in urls)
Blacklist: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ (denyig all other ips in urls)
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Do not allow IP-Addresses in URL
«
Reply #3 on:
March 18, 2019, 03:21:47 pm »
https://wiki.opnsense.org/manual/how-tos/edrop.html
explains how to load ip block lists in OPNsense.
Most blocklists allow serveral export formats that can be set via parameter (see e.g.
https://pgl.yoyo.org/adservers/formats.php#plain
).
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Do not allow IP-Addresses in URL