Firewall rules based on URL or even wildcard URL - how do deal with them?

[thorben83]

Hello,
I try to filter HTTP / HTTPS traffic "somehow" so that I can allow outgoing access to URLs like this

*.blob.core.windows.net
*.windowsupdate.com
cacerts.digicert.com (without wildcard, but with CDN it changes the IP address all the time)

What is the best way to achieve that? In best case, I don't need to do TLS / SSL interception because I will struggle to get a certificate deployed on every device.

I found a post that recommended to use a proxy instead of plain firewall rules. As I did not find any proxy in OPNsense, I found another post that says that os-squid is in the plugin section now. But I cannot find os-squid in the plugin section.

Does anyone have ideas how to get that challenge solved without an "any HTTP/ HTTPS" rule?

Best regards
Thorben

[Monviech (Cedrik)]

https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset

[thorben83]

oh, that looks interesting, thanks!

I guess that could work, if I create a DNS forwarder on all Domain Controllers to OPNsense and run DNSmask there.

Thanks for that quick hint and have a good weekend :-)

[thorben83]

Hello,
sorry for the late reply... your suggestion worked perfectly. Really cool. I just had do tweak a few things because my firewall runs on an internal corporate network and my uplink has private IP addresses. Maybe this helps someone in future for a similar setup:

- Disable DNS Rebinding Checks in System -> settings -> administration.
- Services -> Unbound DNS -> Advanced -> Rebind protection networks -> remove internal networks that are on the uplink

Best regards
Thorben

[Monviech (Cedrik)]

Nice, thanks for the feedback. :)