Layer 7 / FQDN filtering

I’ve got my home network setup now running most of it on XCP-NG and with pFSense as a router / firewall. I also have unifi networking equipment with a USG, but the USG is only really or monitoring since switching to pfSense. All this is with big thanks to the videos and forum of Lawrence systems!

I’ve watched the videos on NGBlocker, Snort and suricata but I’m not sure these really solve my problem.

I’ve solved basic web filtering using allowing all on 80/443 and then using DNS filtering, but I want a bit more control over what happens with ports on my guest and main wireless network.

e.g. if destination is WhatsApp (as an example) allow XYZ ports.

It would be good to run this in pfsense but as far as I can tell it doesn’t really operate at this level and the plugins are not aimed at this task.

I’ve no issue with running another service on my WAN / gateway out.

Ideal solution would have a pre canned list of applications/ports.
I could run it in blocking / allow mode.
Logging / auditing of blocked / allowed applications so I can allow/block them.
Allow multiple rulesets so I can have stricter policies for guests.
As a bonus per user/client rules.

I looked briefly at Sophos XG Firewall (free home edition) and OPNSense and its possible they might do it but I haven’t dug very deep in to these.

Is there an out of the box free/open source solution or failing that a low cost model?

On my WAN interface I only need 100MB throughput so cheaper software /appliances would be okay.

pfSense can continue to handle all my gigabit LAN traffic / routing.

Untangle offers decent application layer filtering and they have a home version that is only $50 per year.

thanks. Looking forward to the deep dive video. It looks similar to Sophos XG.

What I was hoping for was some sort of “learning mode” where it logs activity and after a week or two I can say allow X Y Z , block everything else and alert me to new applications.

I want to arrive at …

  • Allow any 80 / 443 traffic
  • Block bad acting sites, adverts etc. (which I can do with DNS now)
  • Allow Whatsapp allow ports 1,2,3, 4
  • Allow O365 allow 5, 6, 7
  • etc.

but without having to do it all manually and based on FQDN (reverse DNS) as IPs change.

I think your solution sounds more elegant … I’ve created a list of ports in an alias which I use, took a while to troubleshoot applications now it’s stable after a year :slight_smile:

If you crack your problem in pfsense would be interested to hear your solution.

I’ve done that too for the key things I know about. e.g. my guests have a standard port list, 80, 443, 110, 25, etc.

then my main network I had an “enhanced access list” but it is already a pain to administer and I found I had to allow all IPs because the IP (which is resolved on the client) isn’t always the same. Having ports open to all IPs seemed to defeat the point.

I did wonder if I’d missed a trick with suricata but having read this thread : I’m not the first to come up against it.

I thought about using the logs and scripting it but the issue is dynamic IPs. you really need the rule to say allow “” TCP 1234 and then do a reverse lookup on incoming packet and cache the IP for performance.

That’s going to be a code change, because although aliases can handle host names they dont seem to work in a way which support this. your client could resolve one IP and pfSense another. reverse DNS on incoming packets is the only way to do it (I think).

For now I’ve just spun up a untangled and sophos XG to play around with. I doubt I will solve it for pfSense unless I find some time to learn how to code it, but that is yet another project for the list of things I dont have time for.

I might write up a requirements / spec and share on netgate.

Oh wow you’ve really been giving this some thought, I’m definitely not on your level though I too would like to have a secure network.