Block all outbound traffic except whitelisted domain and subdomain

Only to some PCs of the LAN i should only allow these domains:
and deny all the internet;
even setting up a proxy squid, Lark software needs to have direct access to these domains without going through the proxy;
how do i configure il firewall?
how can I do it?

Are you using authenticated proxy or transparent?
Do you know which ports need to be contacted by your software?


A very simple way would ONLY allowing the NethServer (Proxy) access to the Internet (Ports 80/443).
The rest would be handled with a modified WPAD file (proxy.pac).
WPAD allows statements like DIRECT, to access your Lark Software without going through the proxy…

See here for details:

Note, I’ve used this for clients in the past - it works!

My 2 cents

Sample Proxy.pac:

// proxy.pac Musterdatei fuer SME Server von ANWI Consulting
// proxy.pac sample file for SME Server by ANWI Consulting
// Script by:    Andy Wismer 
// E-Mail:       myEMAIL
// Created:      02.06.2001
// Last updated: 09.07.2015 
// Copyright: (c)2001-2015, ANWI Consulting 

function FindProxyForURL(url, host) {

// Falls hostname ohne Domain, sende direct.
// If the hostname without domain, send direct.
    if (isPlainHostName(host))
        return "DIRECT";
// Falls hostname passt, sende direct.
// If the hostname matches, send direct.
    if (dnsDomainIs(host, "") ||
        shExpMatch(host, "(*|"))
        return "DIRECT";
// Falls Protocol oder URL passt, sende direct.
// If the protocol or URL matches, send direct.
    if (url.substring(0, 4)=="ftp:" ||
        shExpMatch(url, "*"))
        return "DIRECT";
// Falls Website im Internen LAN, sende direct.
// If the requested website is hosted within the internal network, send direct.
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "", "") ||
        isInNet(dnsResolve(host), "",  "") ||
        isInNet(dnsResolve(host), "",  "") ||
        isInNet(dnsResolve(host), "", ""))
        isInNet(dnsResolve(host), "", ""))
        return "DIRECT";
// If IP Adresse der lokale Machine innerhalb eine Bestimmten SubNetz, 
// sende an bestimmten Proxy.
// If the IP address of the local machine is within a defined
// subnet, send to a specific proxy.
    if (isInNet(myIpAddress(), "", ""))
        return "PROXY";
// DEFAULT REGEL: Alle anderen Verkehr verwendet folgende Proxies in der Reihenfolge.
// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
// return "PROXY; PROXY";
    return "PROXY; PROXY";

WOW, almost 20 years ago I commented in two languages !!! :slight_smile:

1 Like

I currently use pfSense proxy squid + squidguard with NTLM and kerberos authentication, but wildcard domain aliases don’t work, so I wanted to know if it worked in Nethserver;
these are the software specifications:


great !!! I try to do the configuration and let you know, thank you very much

@Andy_Wismer in your example the “send direct” is done by the proxy or I have to create an outgoing rule with ip of the pc?
in your example the send direct is done by the proxy or I have to create an outbound rule with ip of the pc;
if I have to create the rule I can’t specify only the subdomains :frowning:



On the firewall, you could specify just the IPs, look those up with nslookup or whatever.
DIRECT means the PC has to be able to access that resource directly, without PROXY…

My 2 cents

Seems pretty straightforward to me…


  • create objects for subnets of Lark suite, and computers into hosts
  • create a group for subnets and a group for the computers
  • create a service with the port interval of media service
  • use the objects you create for two rules:
    first one from group of computers to group of subnets, for service (with a time condition? create it before create this firewall rule) as a unknown (you did not tell if these computers are into BLUE, ORANGE or GREEN) to RED and allow. Feel free to log the rule if you think is necessary
    second one from group of computers to internet (red) as deny; i suggest you to log the match as a test.

Then switch to the Proxy.

  • Create a policy for allow only whitelisted domains
  • Add as whitelist the domain your suite refferred
  • You can also allow as a global whitelist or a domain to access without authentication (it depends from your current setup)
  • in any case, apply the policy of proxy created to the objects of the computer “limited”.

This as general rule of thumb.
Most of this approach need a bit of adaptation, the media server will blatantly skip all the proxy and only the content filtering will control the access to the domain; the setup should be adapted to your current configuration.

Everything i wrote here completely fails IF the DNS server is outside the same subnet/segment of the “limited access” computers.

@pike unfortunately by setting the proxy on windows internet settings and inside the Lark program, the software in any case to make calls and meeings exits directly on the gateway for domains and subdomains and never passes through the proxy

  • “*”
  • “*”
  • “*”
  • “*”

The transparent proxy do not need any configuration on the computer/software/service.
You are using the proxy, but no configuration is done on the end-device. Phone, PC, Printer, any device.
Through the configuration of the proxy you can even bypass content filtering/proxy to the specific device/ip for specific domainlist.

1 Like

Windows standards, even nowadays with the latest Win10, Windows will automatically use available and - without any configuring!

So you can use that to “bend” the rules (proxy.pac) as needed!

My 2 cents

Thanks for the like/heart @xalex77 but please explain me why…

on the firewall gateway I installed the squid transparent proxy + squidguard and enabled the domains and subdomains required witch wildcard ( * , so this solution solved my problem :wink: