OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • Whitelist 6 Domains
« previous next »
  • Print
Pages: [1]

Author Topic: Whitelist 6 Domains  (Read 1905 times)

GAM_1

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Whitelist 6 Domains
« on: July 09, 2023, 01:26:28 pm »
I want to block all internet access except 6 specific websites. What is the best way to do this with Opnsense? I've read the documentation on "Setup Web Filtering" and "zenarmor" but these seem to be a little overkill for my simple whitelist. It would be nice to apply this to specific VLANs but that would not be strictly required.
Logged

RamSense

  • Hero Member
  • *****
  • Posts: 521
  • Karma: 10
    • View Profile
Re: Whitelist 6 Domains
« Reply #1 on: July 09, 2023, 01:32:12 pm »
never tried myself, but I would say:
- make an alias for the website (url/ip) for the allowed websites
make a firewall allow rule for this alias port 80 and 443
make another firewall rule below the above with block all port 80 and 443

« Last Edit: July 09, 2023, 01:33:44 pm by RamSense »
Logged

Patrick M. Hausen

  • Hero Member
  • *****
  • Posts: 4059
  • Karma: 354
    • View Profile
Re: Whitelist 6 Domains
« Reply #2 on: July 09, 2023, 01:33:46 pm »
I'd use DNS block and whitelists. Cannot produce the details from the top of my head, but I'd look into either Unbound blocklists or the AdGuard Home plugin.
Logged
Protectli FW4B
Intel J3160 4 cores
4x Intel I211 1 Gbit/s
8 GB memory
64 GB mSATA SSD storage
Coreboot
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

CJ

  • Hero Member
  • *****
  • Posts: 633
  • Karma: 23
    • View Profile
    • Have Answer, Will Blog
Re: Whitelist 6 Domains
« Reply #3 on: July 09, 2023, 08:29:51 pm »
Adguard is way overkill for this IMO.  Just enable DNSBL, don't select any lists, and add the 6 websites to the whitelist.
Logged
Have Answer, Will Blog

GAM_1

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: Whitelist 6 Domains
« Reply #4 on: July 09, 2023, 11:22:47 pm »
Quote from: RamSense on July 09, 2023, 01:32:12 pm
never tried myself, but I would say:
- make an alias for the website (url/ip) for the allowed websites
make a firewall allow rule for this alias port 80 and 443
make another firewall rule below the above with block all port 80 and 443

Anyone know if this way works? And can you give more details? Such as would I make these rules under my LAN or WAN? Also I only have 1 LAN and no VLANs ,yet,. I do not want to block myself out of the opnsense web UI... Do I need to add another rule for that?
Logged

Amr

  • Jr. Member
  • **
  • Posts: 77
  • Karma: 3
    • View Profile
Re: Whitelist 6 Domains
« Reply #5 on: July 11, 2023, 03:31:15 pm »
Quote
Anyone know if this way works?
it would work if the whitelisted website doesn't change IPs frequently (big providers like google do, for load balancing), if it does be ready to experience breakage.
- I would go the DNS route if you are okay with the fact that users (malicious or not) can subvert the access control (by using VPN/Tor or any other method) you can pair this method with IPS(intrusion prevention system) that subscribe to a VPN block list or something, plus periodically reviewing logs and adding firewall rules that allow users http(s) only.
-else you need to deploy an MITM (transparent proxy) but that's a PITA to configure, good luck.
« Last Edit: July 12, 2023, 06:53:38 am by Amr »
Logged
Disclaimer: I'm not a professional, just trying to help.

ssonic

  • Newbie
  • *
  • Posts: 5
  • Karma: 0
    • View Profile
Re: Whitelist 6 Domains
« Reply #6 on: September 07, 2023, 11:08:44 pm »
You can achieve that with "web proxy" config. Enable http and ssl intercept, sni induction only, add websites and allowed hosts or networks to proxy access list, configure your 6 websites in the proxy acl, configure port forwarding from 80 and 443 to whether corresponding ports you have in your proxy config (3218 and 3129 by default) and add this to proxy blacklist :
.[a-zA-Z]+
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • Whitelist 6 Domains
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2