Whitelist 6 Domains

Started by GAM_1, July 09, 2023, 01:26:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 09, 2023, 01:26:28 PM
I want to block all internet access except 6 specific websites. What is the best way to do this with Opnsense? I've read the documentation on "Setup Web Filtering" and "zenarmor" but these seem to be a little overkill for my simple whitelist. It would be nice to apply this to specific VLANs but that would not be strictly required.
July 09, 2023, 01:32:12 PM #1 Last Edit: July 09, 2023, 01:33:44 PM by RamSense
never tried myself, but I would say:
- make an alias for the website (url/ip) for the allowed websites
make a firewall allow rule for this alias port 80 and 443
make another firewall rule below the above with block all port 80 and 443

Deciso DEC850v2
July 09, 2023, 01:33:46 PM #2
I'd use DNS block and whitelists. Cannot produce the details from the top of my head, but I'd look into either Unbound blocklists or the AdGuard Home plugin.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 09, 2023, 08:29:51 PM #3
Adguard is way overkill for this IMO.  Just enable DNSBL, don't select any lists, and add the 6 websites to the whitelist.
July 09, 2023, 11:22:47 PM #4
Quote from: RamSense on July 09, 2023, 01:32:12 PM
never tried myself, but I would say:
- make an alias for the website (url/ip) for the allowed websites
make a firewall allow rule for this alias port 80 and 443
make another firewall rule below the above with block all port 80 and 443

Anyone know if this way works? And can you give more details? Such as would I make these rules under my LAN or WAN? Also I only have 1 LAN and no VLANs ,yet,. I do not want to block myself out of the opnsense web UI... Do I need to add another rule for that?
July 11, 2023, 03:31:15 PM #5 Last Edit: July 12, 2023, 06:53:38 AM by Amr
QuoteAnyone know if this way works?
it would work if the whitelisted website doesn't change IPs frequently (big providers like google do, for load balancing), if it does be ready to experience breakage.
- I would go the DNS route if you are okay with the fact that users (malicious or not) can subvert the access control (by using VPN/Tor or any other method) you can pair this method with IPS(intrusion prevention system) that subscribe to a VPN block list or something, plus periodically reviewing logs and adding firewall rules that allow users http(s) only.
-else you need to deploy an MITM (transparent proxy) but that's a PITA to configure, good luck.
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
September 07, 2023, 11:08:44 PM #6
You can achieve that with "web proxy" config. Enable http and ssl intercept, sni induction only, add websites and allowed hosts or networks to proxy access list, configure your 6 websites in the proxy acl, configure port forwarding from 80 and 443 to whether corresponding ports you have in your proxy config (3218 and 3129 by default) and add this to proxy blacklist :
.[a-zA-Z]+
Print
Go Up Pages1
User actions