Aag
May 2, 2024, 6:52am
1
Can someone help us in blocking socials (Facebook), p0rn sites, gambling sites, etc. We set rules in firewall. We also set url filtering in webproxy but still not working.
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name BLOCK-FACEBOOK E
default-action drop
rule 20 {
action drop
description “block facebook”
}
}
name BLOCK-PORNHUB
default-action drop
rule 40 {
action drop
description “block pornhub”
}
name OUTSIDE-IN
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10
action accept
state {
established enable
related enable
}
}
name WAN_LOCAL {
default-action drop
rule 50
action accept
destination { port 80 }
protocol tcp
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
tjh
May 2, 2024, 10:09am
2
I don’t understand your post. You don’t have valid rules. You’d need destination ips etc
The better way to block this stuff imho is via DNS.
1 Like
Personally I run a pihole container on vyos and redirect/force dns requests through it.
The next thing is also blocking dns over http with a combination of pihole and firewall rules.
2 Likes
Rules like the one you have posted don’t work. However there are other solutions, similar to what @roedie mentioned.
I’ve been playing around with two options:
Redirect DNS requests to an application like PiHole, AdGuard or Technitium. These applications block access by overriding the DNS response.
Use the DNS service of VyOS and update its config. A while ago I wrote a script that pulls DNS block-lists from the internet and update the DNS server its configuration. An example of such a blocklist: GitHub - hagezi/dns-blocklists: DNS-Blocklists: For a better internet - keep the internet clean! .
Please be aware that in both cases it’s recommend to block outgoing DNS requests by your clients, otherwise they can bypass blocking by using another DNS server (e.g. Cloudflare or Google).
easiest would be to download the RPZ list from oisd.nl and add rpzFile(“list.rpz”) to recursor.conf.lua
you can also add your own domains to the list