Block websites gambling sites, socials like Facebook etc

Can someone help us in blocking socials (Facebook), p0rn sites, gambling sites, etc. We set rules in firewall. We also set url filtering in webproxy but still not working.

all-ping enable

broadcast-ping disable

config-trap disable

ipv6-receive-redirects disable

ipv6-src-route disable

ip-src-route disable

log-martians enable

name BLOCK-FACEBOOK E

default-action drop

rule 20 {

action drop

description “block facebook”

}

}

name BLOCK-PORNHUB

default-action drop

rule 40 {

action drop

description “block pornhub”

}

name OUTSIDE-IN

default-action drop

rule 10 {

action accept

state {

established enable

related enable

}

}

name OUTSIDE-LOCAL {

default-action drop

rule 10

action accept

state {

established enable

related enable

}

}

name WAN_LOCAL {

default-action drop

rule 50

action accept

destination { port 80 }

protocol tcp

}

receive-redirects disable

send-redirects enable

source-validation disable

syn-cookies enable

twa-hazards-protection disable

I don’t understand your post. You don’t have valid rules. You’d need destination ips etc

The better way to block this stuff imho is via DNS.

1 Like

Personally I run a pihole container on vyos and redirect/force dns requests through it.

The next thing is also blocking dns over http with a combination of pihole and firewall rules.

2 Likes

Rules like the one you have posted don’t work. However there are other solutions, similar to what @roedie mentioned.

I’ve been playing around with two options:

  1. Redirect DNS requests to an application like PiHole, AdGuard or Technitium. These applications block access by overriding the DNS response.
  2. Use the DNS service of VyOS and update its config. A while ago I wrote a script that pulls DNS block-lists from the internet and update the DNS server its configuration. An example of such a blocklist: GitHub - hagezi/dns-blocklists: DNS-Blocklists: For a better internet - keep the internet clean!.

Please be aware that in both cases it’s recommend to block outgoing DNS requests by your clients, otherwise they can bypass blocking by using another DNS server (e.g. Cloudflare or Google).

easiest would be to download the RPZ list from oisd.nl and add rpzFile(“list.rpz”) to recursor.conf.lua

you can also add your own domains to the list