Blocking websites

There are several options for blocking websites with pfSense. This page describes them.

Using DNS

If using the built in DNS Forwarder, you can enter an override under Services > DNS Forwarder to resolve the website you want to block to an invalid IP (such as 127.0.0.1).

Using Firewall Rules

If a website rarely changes IP addresses, access to it can be blocked using firewall rules. This is not a feasible solution for sites that return low TTLs and spread the load across many servers and/or datacenters, such as Google and similar very large sites. Most small to mid sized websites can be effectively blocked using this method as they rarely change IPs.

You can enter a hostname in a network alias, and then apply that alias to a block rule. Note the hostname will only be resolved when the filter rules are loaded with version 1.2.3, so you will want to schedule a filter reload with cron unless running 2.0.

Another option is finding all of a site's IP blocks, creating an alias with those networks, and blocking traffic to those destinations. This is especially useful with sites such as Facebook that spread large amounts of IP space, but are constrained within a few net blocks.

Using Squidguard

The Squidguard package can be configured to block sites.

Prevent Bypassing of Blocking

With any of the above methods, and there are many ways to get around the blocks you define. The easiest and likely most prevalent is using any number of proxy websites. Finding and blocking all of these individually and keeping the list up to date is impossible. The best way to ensure these sites are not accessible is using content filtering capable of blocking by category, such as OpenDNS's free service which has a category for proxy sites.