My first thought was use the proxy.
Second thought make firewall rule to allow comunication to Adobe.
Then block that pc from everything else
I’ll add a shameless plug for something I have been playing experimenting with:
Instead of blocking DoH, you can use it to block MS.
Think of it as changing the topic title to MSblock - Blocking MS via RPZ.
Do you know the domain names (maybe with sub-domains) you want to block?
2 Likes
Well, I’m looking to block literally everything on that Windows client; not just MS. And only allow what’s necessary to run Adobe’s crap.
Well, for now, I am just doing this all with two virtual machines that are configured with a NAT network. IPFire is the DHCP for the client to get an IP address. But I use regular NAT for the IPfire VM to get to the Internet.
So, one VM is IPfire and the other being my Windows client where I want to block literally everything except for Adobe’s shady stuff.
But yes, I do have Pihole on my actual network.
How would I go about doing that? The second thought.
Something like.
Rule 1
Source “pc” NAT destination “Adobe ip” could be network group.
Rule 2
Source “pc” NAT destination " Any " drop
Could add ports or service group to Rule 1
@jon has some other post that use firewall rules that are more sophisticated.
Using RPZ and ASN. Which is very cool.
But not through the WUI.
I’d much rather avoid specifying a single IP address. Mainly because IP addresses do change. The apps themselves would use DNS as a means to validate with Adobe’s servers most likely.
That’s where what @jon did above is so amazing.
You could allow traffic to a specific Domain.
And block everything else from that client.
It’s just not built-in.
Alright then. Guess I’ll look into that.
So, can this be used to block all domains and whitelist a couple?
For MS, you might be able to use this RPZ. I know nothing about the list so make sure you review before using!
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/native.winoffice.txt
Okay. But I want to block everything except for Adobe’s crap servers when Adobe’s shady subscription is validated.
hi
for block everything except for you want i have test this
server:
module-config: "respip validator iterator"
rpz:
name: allow
#zonefile: zonefiles/allow.rpz.zone
zonefile: /etc/unbound/zonefiles/allow.rpz.zone
rpz-action-override: passthru
rpz-log: yes
rpz-log-name: allow
rpz:
name: block
#zonefile: block.rpz.zone
zonefile: /etc/unbound/zonefiles/block.rpz.zone
rpz-action-override: nxdomain
rpz-log: yes
rpz-log-name: block
in a block.rpz.zone
* CNAME .
all is block you do add site in allowlist for any ipfire update and other domain for you
ty
This is massive overkill. Yes, you could do the above but it will probably render everything unusable.
@dreaper - you really need to specifically list what you want allowed and what you want blocked.
yes is overkill but no complicate a allowed domain
i have add many domain ipfire work fine
but if web ui is possible is the best
ty
1 Like
As I said, the machine is only going to be a production machine. So, massive overkill is what I want. Don’t worry. This is just something I’m testing in a virtual machine. Because maybe I could use a Raspberry Pi later on for a single machine to keep the machine completely isolated and then only allow certain things to be accessible.
In this test case, I just need it to call home to Adobe’s crap servers to validate a ‘subscription’ nothing else. Or, I could use something else that I want to whitelist.
for block everything except for you want i have test this
That’s what I am I looking for. Block every domain and whitelist what I need.
This sort of thing would be great if it was in the WUI
For all those wondering about how to do this, I found the easiest solution was just to use a PiHole server. Then under the Domains, I just add a regex expression (.*) and blacklist it; a wildcard for blocking all domains. And for anything I want to allow, like maybe Adobe’s servers to validate a subscription, I just whitelist that domain. Or use another regex expression that allows anything from Adobe. Like *.adobe.com or something.
Also, I can just make another group and apply that regex blacklist to it. Then I could specify which machine I want to be completely filtered as well. So, I could do this on my home network and it wouldn’t cripple my the Internet for me. It would just cripple it for the client machine that is running Microsloth’s malware infested operating system.
And, if I ever have the misfortune to needing Windows for work (that required Internet for specific a thing, like Adobe for example), this is what I could do. So, this is perfect for a production only machine that needs to run on bare metal.
And this is how you maintain absolute control over Windows today (as far as I am concerned). To think, PiHole was the answer all along.
Though, if I ever need Windows, I’m just going to keep it completely disconnected and isolated in a virtual machine with a custom iso.
Well, this was a fun experiment. I had a laugh when I saw the stock version of Windows trying to call home like crazy to Microsloth to do nefarious things to my virtual machine (and fail). No more forced updates. No more unwanted changes. No more spying and ads being pushed. 