Hello, I figured i’d check out this forum and see if anyone can point me in the right direction. I am interested in blocking all sites on my laptop but only allowing certain sites i make permissible. This can be done on ios and macos easily, android not so much as it requires two devices. I looked into doing this on linux but im not sure if its possible currently. I understand you can do so through routers, such as opendns but I am looking for a device lock not the internet. Id like the device to be locked down so any internet it logs into it can only access one or two websites. I looked into iptables and nftables, but it seems you can’t allow domain names you can only allow/block by the ip address. Most sites these days don’t allow you to access their site through the ip address directly, because of virtual hosts and such. I was hoping there may be something i’m unaware of. I know about /etc/hosts but that wont help as you can’t block all sites. Any advice is much appreciated.
Hi @auggi3 and welcome to the Manjaro community
Uncomplicated Firewall (UFW) will help achieve your goal.
See the Manjaro Wiki Firewalls article for information on how to install and enable UFW. Setting UFW to the Home profile will deny all incoming traffic, while allowing all outgoing traffic. From that point, you will need to actively allow only traffic you specifically want to let in.
More information about UFW may also be found in the Arch Wiki Uncomplicated Firewall article.
UFW is one of the simpler solutions, however, requires effort on your part to learn the rules syntax and understand how firewalls work in Linux.
Here are some additional resources:
In addition to UFW, there is OpenSnitch which aims to replicate the functionality of the macOS LittleSnitch app. OpenSnitch will allow more fine-grained control over which applications may (or may not) send outgoing connections. You might find this an easier solution to limit outgoing destinations.
As you are new to the community, I also suggest the following links/tutorials which will help use the forum effectively.
- [How to] Request Support
- [How to] Find System Information
- [How to] Find Error Logs
- [How to] Post Command Output and File Content as Formatted Text
- [How to] Post Screenshots and Links
I hope this is helpful. Cheers.
Another approach might be to disable DNS, then only add in a handful of domain+ip lines in /etc/hosts
(of course this should be coupled with the account being disallowed root access, not be in wheel group, etc.)
Thank you both for the suggestions. I downloaded gufw and messed around with it for a bit. I set incoming and outgoing to deny and then added a rule to allow out archlinux.org ip address 95.217.163.246. And I tried multiple ports 80,22,443. But I can’t get it to allow the website.
I like the idea it seems simple but maybe I’m too ignorant? I blocked all outgoing and incoming traffic on gufw and in my etc/hosts I wrote down ip and domain names of a couple sites I like but it didn’t unblock them.
The /etc/hosts file can be used to redirect any site to the localhost. This effectively prevents live access to those sites.
Adding sites to the hosts file in this manner will not allow access to those sites; quite the reverse; it will prevent access.
I suggest not denying outgoing traffic globally with ufw. Instead, use OpenSnitch to allow/deny access for websites. Good luck
You want a deny-all → allow scenario - that cannot be done with the hosts file.
You could take a look at [portmaster], [opensnitch] or [pi-hole].
Do not mix them - research (use the forum search and your favorite search engine) , test and stick to one of them.
portmaster and opensitch is in the repo - pi-hole is a custom AUR script - be sure to read the Arch related [pi-hole] documentation.
Another option would be to search for kiosk mode configuration of e.g. firefox
The kiosk mode is not likely to prevent navigating using the links provided in content but it will limit the usability
firefox -kiosk https://forum.manjaro.org
or a customized browser which takes allowed sites from a configuration file.
$ pamac search kiosk browser
wcgbrowser-git r131.fd26ba3-1 AUR
A web browser for kiosk systems.
admbrowser-git r155.da7b945-2 AUR
Web browser for kiosks and digital signage
The admbrowser has a whitelist config option - possibly what you are looking for
pamac build admbrowser-git
thats what i thought. /etc/hosts can only be used to block sites. It sounded like @cscs was saying you could allow sites.
If you block all outgoing traffic, there is no DNS. This means your system can not loop up a IP for archlinux.org. Either allow DNS, or use /etc/hosts for lookups.
That is not how it works. You still need to allow the IPs in your Firewall.
This is not what /etc/hosts is about. If you use other IPs than localhost, it will act like an DNS Server.
In context, this is precisely what the OP was attempting; to use loopbacks as a means of restoring access to whatever sites are being focused upon.
Entries such as 127.0.0.1 barneyrubble.com clearly won’t do that.
And that is the clarification the OP surely needed, to better understand the suggestion by @cscs .
Update:- And after doing more than skimming the OP’s more recent posts, I now see this is what he attempted; albeit with the firewall blocking all outgoing connections. 
And you can, just don’t block all traffic with your firewall, just DNS or simply don’t set up a DNS Server. Without DNS, no Domains can be looked up. This means your Browser can’t connect to archlinux.org because it doesn’t know the IP. If you than use /etc/hosts to add the correct IP for archlinux.org, your Browser can connect to it.
But there are some disadvantages, like the IPs might change and many websites use multiple Domains, all need to be added, or the website might not work correctly.
It might be easier to use something like opensnitch.
But
34.223.159.112 barneyrubble.com
44.241.56.254 barneyrubble.com
does. It is not required to use /etc/hosts only with 127.0.0.1.
Yeah … what @xabbu said.
/etc/hosts is a hostname lookup table.
While most people (read: common users) commonly use it to ‘block’ things by either pointing them to 0.0.0.0 or 127.0.0.1 (localhost) … it is not at all its only function.
I might point at man hosts in general, where it provides among other things this header
hosts - static table lookup for hostnames
So if you didnt have any other DNS resolver except /etc/hosts … and you only defined a handful of domains, ie
8.8.8.8 google.com
Then those would be the only resolvable domains and only at those addresses.
But come to think of it … the big browsers use their own dns by default … this is easily configurable … but too easy - the setting is in userspace. So that would need to be handled as well (locked prefs file I guess?).
I read this article time ago while searching how to “white list” urls. Can be useful here? Seems to be what @auggi3 is asking for:
(Disclaimer: I don’t know if it works, I haven’t tried).
It seems Privoxy can do this. See:
It’s in the extra repository:
$ pamac search privoxy
[...]
privoxy 3.0.34-1 extra
A web proxy with advanced filtering capabilities.
So can be installed with:
pamac install privoxy
Note: I have never used it, so do not have any knowledge or experience with or about it.
Hope it helps!
Well probably just use what is already there? NetworkManager and Dnsmasq.
File: /etc/NetworkManager/conf.d/dns.conf
[main]
dns=dnsmasq
Then reload the config:
sudo nmcli general reload
Now you use a dnsmasq as cache for resolving Domains instead of your router.
Now here comes the magic:
File: /etc/NetworkManager/dnsmasq.d/whitelist.conf
clear-on-reload
domain-needed
bogus-priv
no-resolv
# Log all queries to /var/log/nm-dnsmasq.log
# Optional, but useful to log what was requested.
log-queries
log-facility=/var/log/nm-dnsmasq.log
# Whitelist domains to DNS lookup
# google nameservers are
# ipv4: 8.8.8.8 and 8.8.4.4
# ipv6: 2001:4860:4860::8888 and 2001:4860:4860::8844
# opendns nameservers are
# ipv4: 208.67.222.222 and 208.67.220.220
# ipv6: 2620:119:35::35 and 2620:119:53::53
# Or just use your router ip.
# Syntax:
# server=/Domain/DNS
# server=/Domain/Domain/Domain/...more/DNS
# Whitelist start here >>>
server=/manjaro.org/8.8.8.8
server=/manjaro.org/2001:4860:4860::8888
# <<< Whitelist ends here
# Block anything else
address=/#/127.0.0.1
address=/#/::1
Reload it again:
sudo nmcli general reload
Try:
ping -4 google.com
ping -4 manjaro.org
ping -6 google.com
ping -6 manjaro.org
I guess that is the most simple solution, but maybe not the most user friendly one. It is the bare minimum to do this. However… you can still enter blocked Domains if you know the static IP, but mostly that will not work.
That is in general the same technique what pi-hole uses, just for blocking, but here it is whitelisting.
PS: If I get at least 10 likes, I will create a simple yad GUI for that. 
Perhaps use a drop-in folder /etc/dnsmask.d and enble loading of .conf files from the folder - to keep the dnsmasq.conf clean
# Include all files in a directory which end in .conf
conf-dir=/etc/dnsmasq.d/,*.conf
I give you a like for it
I tried it on my setup but im unable to get it to whitelist anything. Not sure if this matters but I’m using xfinitywifi which is public network.
You know that you need reload the config after every edit?
What says:
nslookup manjaro.org
nslookup google.com
pamac install bind
For google it should look like this:
$ nslookup google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: google.com
Address: 127.0.0.1
Name: google.com
Address: ::1
And manjaro:
$ nslookup manjaro.org
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: manjaro.org
Address: 116.203.91.91
Name: manjaro.org
Address: 2a01:4f8:c0c:51f3::1
@linux-aarhus erm… actually I don’t use dnsmasq directly here. NetworkManager starts it and it uses this conf-dir: /etc/NetworkManager/dnsmasq.d/
[arch-7453w35 dnsmasq.d]# nslookup manjaro dot com
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can’t find manjaro dot com: REFUSED
Yeah reloading it every time. forum wont let me send links. but This is what im getting. I’ve noticed my wifi icon on the top right of gnome shows a question mark when I enable the conf.d [main] dns=dnsmasq