Why is it difficult to set up a URL filter in this firewall? It takes one click on other firewalls like Sophos and those work. I have spent the entire night configuring this without success. Can someone help?
My version is IPFire 2.29 (x86_64) - Core-Update 189
What mode are you running proxy?
The URL Filter option requires the proxy to be enabled and devices to use it - this gets a bit more complicated to enforce unless you use the transparent option (and that can be a problem with SSL sites which unfortunately is many).
Alternatively you can try blocking by preventing traffic going to those addresses at all through the firewall.
Keep in mind that some modern devices will actively try and avoid some restriction attempts, e.g. use their own DNS instead of gateway/ISP provided to resolve IP addresses.
You canât firewall via name FQDN DNS names directly⊠but you can mask off all of the facebook ASN IP address ranges.
You can find these from some helpful network BGP/Looking Glass toolkits, e.g.:
Adding the higher level IP ranges would effectively block off Facebook.
Actually that list is a little excessive in that it includes some addresses and ranges within others already present, e.g.:
31.13.64.0/18 covers all the way up to 31.13.127.254, so the subsequent 31.13.. entries are ignorable.
You can use this to help figure out which ranges are actually effectively overlapping others:
1 Like
Hereâs what I did Years ago, Not on my network. But AFAIK it still works because Iâve been asked to allow new people to the allow list. 
Code ASN of facebook is:AS32934
In a linux terminal run the command
/usr/bin/whois -h whois.radb.net â!gAS32934â|grep --color -E â/19|/18|/17|/16â
In the âfirewall groupsâ create a networks for each network ip, for example
name : facebook 129
network address : 129.134.0.0
netmask: 255.255.0.0
name : facebook 157
network address : 157.240.0.0
netmask: 255.255.0.0
name : facebook 31
network address : 31.13.0.0
netmask: 255.255.0.0
In the "firewall groups " create a ânetwork/host groupâ and add each network created before.
In the âfirewall rulesâ create a new rule
source > standard networks : green
destination > network/host groups : facebook
reject
If need permit access to some users, create a new rule and add the ip and permit all trafic
Also create another group called facebook allow. Then add in âhostsâ each ip that was allowed.
Then we were able to create a single rule that enables facebook for this group. (Make sure to move the rule above the âdenyâ rule.)
1 Like
Transparency I guess. I followed instructions from the ipfire community.
You need to use none transparent
If you want to block HTTPS sites.
1 Like
Have you think in RPZ, without URL lists added but using Blacklists and adding facebook.es, com. in. etc�
It would be a block via DNS.
Itâs an idea, I donât know if it will work.
1 Like
Did that too and not success.
Try something and send me steps if you can. I spent the entire night reading and trying some steps that were futile.
If you try to block your kids from visiting certain sites or using certain services, the only way is to talk to them and establish a relationship where they trust your advice. You have to teach them what is good, what is evil, what is dangerous etc. If you try to use technology to solve a social problem, you have no chance to win. They will find ways around your obstacles (no matter how many you install) or simply visit the sites from outisde of your home where you have no control and you have no idea what they do. From my experience, itâs better and much more rewarding to surf the web together with the kids and discuss what you see.
6 Likes
I will try it
You will need to block ports 443 and 80.
Or your device may bypass the proxy.
I used to use cleanbrowsing.org when my child was younger. It is a paid DNS service and has lots of filtering options, including social media, ads, adult sites and malware sites. It was very effective and reasonably priced. It worked fine with IPFire. I discontinued the service when my child reached adulthood.
I will try that too. Thanks
Thanks. I will look I to it.
Hi @borg.
I have tried this and it worked fine for me.
Result:
Obviously, the DNS must be IPFireâs. If you use Googleâs or other DNS, this stops working. I think there is a procedure to force the use of IPFireâs DNS.
Try and comment Us.
Bye.
2 Likes
With all these DNS solutions, you must force clients to use IPFire for DNS to stop them using DoT, DoH or other direct DNS lookup mechanisms. Browsers often bypass DNS servers. In Firefox there is a âcanary domainâ that you need to intercept to stop it using its own DoH. I donât know about other browsers but I believe there are ways of stopping them using DoH.
Some antivirus apps also provide their own secure DNS services which will bypass IPFire.
1 Like
This is the exact reason why in my post above I just go straight to the point of blocking the traffic to facebook through the firewall.
Itâs faffy but would work regardless of using the proxy or not.
Other steps blocking DNS or using the proxy can potentially be bypassed (you can easily configure your favourite browsers or mobile devices to use DNS over TLS/HTTP) - hell even blocking access to Facebook via the firewall is just one tor session away from being bypassed, and thatâs assuming there isnât a rogue open WIFI connection available or access via a mobile connection.