Do not allow IP-Addresses in URL

[t.mayer]

I have a working opnsense-proxy with shallalist as webfilter.

When I try to open an url from a blocked category, it wont open (as expected).
But when i use the ip of the webserver hosting the url, i can reach the website.

Is there way to block external ip-addresses in urls.
Defining the regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ in Forward Proxy > Blacklist does also block internal ips in urls.

[hbc]

• URLs are blocked by web proxy
• IPs are blocked by firewall

Create a firewall alias which loads your blacklist and create a blocking rule using this alias.

[t.mayer]

When then somebody should use a proxy?

Because of the possibility of serveral URLs behind the same IP blocking ips via firewall can not be the preferred solution. I just don't want users to bypass the proxy by typing the corresponding ip-address of an url into the browser.

Moreover I do not see the possibility to load a list like the shallalist into the firewall-alias-section. Cloud you explain how to load a list into the alias-section?

My solution for now are the following settings in Services: Web Proxy: Administration: Forward Proxy: Access Control List

• Whitelist: 172\.16\.[0-9]+\.[0-9]+ (allowing local ips [172.20.0.0/16] in urls)
• Blacklist: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ (denyig all other ips in urls)

[hbc]

https://wiki.opnsense.org/manual/how-tos/edrop.html explains how to load ip block lists in OPNsense.

Most blocklists allow serveral export formats that can be set via parameter (see e.g. https://pgl.yoyo.org/adservers/formats.php#plain).