There are several options for blocking websites with pfSense® software,some of which are described on this article. This is not an exact science, butthese solutions typically function well enough for a majority of use cases.
See also
The pfBlockerNG package (pfBlocker-NG Package) offers mechanisms whichcan be useful in this area, such as DNSBL, geographic IP address blocking,and automation of AS lookups.
Using DNS¶
If the built in DNS Resolver or Forwarder are active an override can be enteredthere to resolve the unwanted website to an invalid IP address such as127.0.0.1
.
Warning
Do not use DNS override functionality as the only means of blocking access tosites.
Blocking via DNS requires that local clients utilize the firewall as theironly DNS source. See Redirecting Client DNS Requests andBlocking External Client DNS Queries for suggestions on ensuring clients get their DNSresponses from the firewall. It will stop non-technical users, but it is easyto circumvent for those with more technical aptitude.
With the DNS Resolver, additional methods are possible via custom options.
This first example will prevent any host under the given zone from beingresolved by clients:
server:local-zone: "movie.edu" static
When the firewall enforces DNS resolution in this way, the firewall must alsoforce clients to resolve DNS using the firewall. Otherwise, clients could bypassthe restrictions by using alternate DNS servers. See Redirecting Client DNS Requests fordetails.
This can be limited in scope using custom views. This example is similar to theabove, but only blocks access for 10.6.0.100
:
server:access-control-view: 10.6.0.100/32 blocksitesview:name: "blocksites"local-zone: "movie.edu" static
Using Firewall Rules¶
If a website rarely changes IP addresses, then it can be blocked by an alias.Create an alias containing its IP addresses and then use this alias in firewallrules.
Warning
This is not a feasible solution for sites that return low TTLs and spread theload across many servers and/or datacenters, such as Google and similar largesites. Most small to mid sized websites can be effectively blocked using thismethod as they rarely change IP addresses.
A hostname can also be inside a network alias. The firewall will resolve thehostname periodically and update the alias as needed. This is more effectivethan manually looking up the IP addresses, but will still fall short if the sitereturns DNS records in a way that changes rapidly or randomizes results from apool of servers on each query, which is common for large sites.
Another option is finding all of the IP subnet allocations for a site. Createan alias with those networks and block traffic to those destinations. This isespecially useful with sites such as Facebook that spread large amounts of IPspace, but are constrained within a few net blocks. Using regional registrysites such as ARIN can help track down those networks. For example, all of thenetworks used by Facebook in the region covered by ARIN can be found athttp://whois.arin.net/rest/org/THEFA-3.html under “Related Networks”.Companies may have other addresses in different regions, so check other regionalsites as well, such as RIPE, APNIC, etc.
As an alternative to looking up the IP blocks manually, locate the BGPAutonomous System (AS) number for the target company by doing a whois
lookupon one of their IP addresses. For example, the AS number for Facebook isAS32934
and the following command will locate all of their allocations:
# whois -h whois.radb.net -- '-i origin AS32934' | awk '/^route:/ {print $2;}' | sort | uniq
Copy the results of that command into a new alias and it will cover all of theircurrently allocated networks. Check the results periodically for updates.
Using a Proxy¶
In modern environments a client proxy is not effective. HTTPS can sometimes befiltered via peek/splice to inspect SNI and similar aspects of connections, buteven that fails with modern security practices like encrypted SNI. Using proxiesfor these tasks is no longer a recommended practice.
Prevent Bypassing Restrictions¶
With any of the above methods, there are many ways to get around the definedblocks. The easiest and likely most prevalent is using any number of proxywebsites. Finding and blocking all of these individually and keeping the list upto date is impossible. The best way to ensure these sites are not accessible isusing an external proxy or content filtering capable of blocking by category.
To further maintain control, use a restrictive egress ruleset and only allowtraffic out to specific services and/or hosts. For example, only allow DNSaccess to the firewall or the DNS servers specifically used for LAN clients(Redirecting Client DNS Requests). Also, if a proxy is in use on the network, make sure todisallow direct access to HTTP and HTTPS through the firewall and only allowtraffic to and/or from the proxy server.