How to implement something similar to pfBlockerNg?

[hilfubsi]

I would like to block ads network wide, similar to what pfBlockerNg/PiHole does. I would also like the firewall to block the ad domains, not only for the DNS to resolve them to a dummy IP. This is for the Android YouTube app for example that does its own DNS and for which DNS ad blocking isn't effective.

How would I go about it in OPNsense? There doesn't seem to be a pfBlockerNg plugin available.

[elektroinside]

I also would love to see Pi-hole (or something similar to handle lists and maintain a customizable whitelist / ability to whitelist a blocked domain once it's accessed with an easy GUI) integrated somehow into OPNsense.
But.. no Pi-hole on FreeBSD based systems. So I just deployed Pi-hole on another machine... and waiting for the future to bring something new :)

One thing's for sure, as long as there are workarounds, I will not ditch OPNsense.

[fabian]

you can do that in the proxy for the best results (docs are available). IPS would work as well.

[elektroinside]

Except for the proxy, don't like it :)
I am using IDS/IPS, but also Pi-hole. Not an issue for me :)

[hilfubsi]

you can do that in the proxy for the best results (docs are available). IPS would work as well.

It doesn't seem to understand adblock formatted lists though, does it? The UToulouse list is more intended to censor internet access than to block ads.

[fabian]

It doesn't seem to understand adblock formatted lists though, does it? The UToulouse list is more intended to censor internet access than to block ads.

There are other lists like https://pgl.yoyo.org/as/ for ad blocking using a hosts file or a proxy. Ad blockers do have a different syntax which allows basically two things:

* cosmetic filtering (hide stuff from the page)
* network filters (URL and content type filters)

Cosmetic filters will probably not work well on a firewall appliance because of false positives and that may break the pages entirely while network filters are possible but the syntax is not compatible (the proxy cannot read the format of the easylist).

[hilfubsi]

I can't get this to work :(

I added the yoyo list to ACL and enabled it, but if I curl http://secure.quantserve.com/quant.js, it is not blocked. It's going through the proxy because I see the extra headers in the response.

[xmichielx]

you can do that in the proxy for the best results (docs are available). IPS would work as well.

Is there an option to do this via DNS?
Proxy only blocks HTTP and HTTPS takes a lot of work to be fixed on all devices and cause extra load on an APU2.
DNS is very to set up and very lightweight and works out of the box for all devices.
There is a reason why the pihole is such a succes not a squid proxy on a raspberry pi ;)
It would be really nice if the WebGUI offers an option to add a list like yoyo to block ads.

[elektroinside]

It would be awesome if hosts files could be imported (with additional features, like an update scheduler, whitelist + blacklist, and an alerts UI - otherwise it would be difficult to maintain) from the GUI. It would make a phenomenal addition IMO.

[mimugmail]

you can do that in the proxy for the best results (docs are available). IPS would work as well.

Is there an option to do this via DNS?
Proxy only blocks HTTP and HTTPS takes a lot of work to be fixed on all devices and cause extra load on an APU2.
DNS is very to set up and very lightweight and works out of the box for all devices.
There is a reason why the pihole is such a succes not a squid proxy on a raspberry pi ;)
It would be really nice if the WebGUI offers an option to add a list like yoyo to block ads.

This?
https://devinstechblog.com/block-ads-with-dns-in-opnsense/

[Evil_Sense]

you can do that in the proxy for the best results (docs are available). IPS would work as well.

Is there an option to do this via DNS?
Proxy only blocks HTTP and HTTPS takes a lot of work to be fixed on all devices and cause extra load on an APU2.
DNS is very to set up and very lightweight and works out of the box for all devices.
There is a reason why the pihole is such a succes not a squid proxy on a raspberry pi ;)
It would be really nice if the WebGUI offers an option to add a list like yoyo to block ads.

This?
https://devinstechblog.com/block-ads-with-dns-in-opnsense/

That's what I use, works flawlessly

[elektroinside]

Yes, it works. But this is difficult to maintain, unfortunately, even with the script.

[Evil_Sense]

Yes, it works. But this is difficult to maintain, unfortunately, even with the script.

I created a cron action to call the script, at least this can be controlled by webGUI, the include too.

Sure, more controll included in the webGUI would be great.

[elektroinside]

Yes, but that's not the difficult part to maintain. It's the editing of the blacklists/whitelists that is difficult to maintain.

Think about the flow. A user hits a blacklisted domain. You have to manually open/edit a few files to whitelist, which means you have to ssh to your box. Then, you have to trigger or wait for the cron job or reload manually. And you have to take care your new whitelist is there after a cron job update (and nothing fails).

Not to mention that you should redirect your users to a webserver to display a nice message if you hit a blacklisted domain. But with this, you should also consider the cosmetic aspects of stuff if a blacklisted domain is hit inside an iframe for example, iframe which is part of a whitelisted domain. And this is just one use case.

[xmichielx]

The problem I have with doing things on the shell is that they might get lost after an upgrade.
I know there are a bunch of scripts but I want to make sure that the list and the cronjob are there after an upgrade of OPNsense, hence my request to allow this via unbound/dnsmasq webgui (a simple curl command to a remote location and adding it to an included .conf is the real magic).
A cronjob would also be nice to update the list every day/week etc. :)