Firewall rules based on URL or even wildcard URL - how do deal with them?

thorben83 · October 03, 2025, 11:44:55 AM

Hello,
I try to filter HTTP / HTTPS traffic "somehow" so that I can allow outgoing access to URLs like this

*.blob.core.windows.net
*.windowsupdate.com
cacerts.digicert.com (without wildcard, but with CDN it changes the IP address all the time)

What is the best way to achieve that? In best case, I don't need to do TLS / SSL interception because I will struggle to get a certificate deployed on every device.

I found a post that recommended to use a proxy instead of plain firewall rules. As I did not find any proxy in OPNsense, I found another post that says that os-squid is in the plugin section now. But I cannot find os-squid in the plugin section.

Does anyone have ideas how to get that challenge solved without an "any HTTP/ HTTPS" rule?

Best regards
Thorben

Monviech (Cedrik) · October 03, 2025, 11:46:30 AM

https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset

thorben83 · October 03, 2025, 11:50:10 AM

oh, that looks interesting, thanks!

I guess that could work, if I create a DNS forwarder on all Domain Controllers to OPNsense and run DNSmask there.

Thanks for that quick hint and have a good weekend :-)

Firewall rules based on URL or even wildcard URL - how do deal with them?

thorben83

October 03, 2025, 11:44:55 AM

Monviech (Cedrik)

October 03, 2025, 11:46:30 AM #1

thorben83

October 03, 2025, 11:50:10 AM #2