Dilemma whitelist / blacklist

jpgpi250 · June 18, 2020, 9:45am

I found this topic, explaining how to use .* as a regex, to identify all domains.

What I want:

for some device(s) (group deny_all), I want to block everything, the device(s) should not be able to resolve anything, but I want to use the query log to see the attempted (blocked) queries.
for some device(s) (group allow_all), I want to allow everything, the device(s) should be able to resolve everything, again, I want to use the query log to see what queries (allowed) are being made.

Unfortunately, entering both a blacklist and whitelist entry .* isn't allowed (duplicate domain entry).

The same dilemma arises for allowing access to facebook (for example). I can block facebook (group facebook_deny), using a regex such as

^(.+.)?(facebook|fb(cdn|sbx)?|tfbnw).[^.]+$

but I cannot use the same regex, to allow (whitelist) facebook for specific devices (group facebook_allow), regardless of possible adlists (gravity) entries.

I understand the whitelist entry would prevail (whitelist always wins), for a client that is assigned to both groups, but fail to understand, why it would not work, if the client assignments are correct (member of either deny_all OR allow_all).

What would be the developers recommended way to achieve the required functionality for the groups allow_all and deny_all (AND facebook_allow and facebook_deny)?

yubiuser · June 18, 2020, 9:49am

Will be solved in v5.1.

See this topic for details:

jpgpi250 · June 18, 2020, 10:10am

the domains, mentioned in your quote are different domains

that should be possible, if not, it's a bug, as you already indicated.

I want to add the same (identical) entry twice, once as a blacklist entry, and once as a whitelist entry, each assigned to a different group, with different client assignments.

according to this article, it would be possible to allow inserting an identical whitelist entry and a blacklist entry, by specifying the domain AND the type field in the unique statement.

UNIQUE(domain,type)

currently (from /etc/.pihole/advanced/Scripts/database_migration/gravity/3_to_4.sql), it's

domain TEXT UNIQUE NOT NULL,

Unfortunately, I have no idea how changing this would impact the web interface, and most importantly pihole-FTL, thus developer input required...

yubiuser · June 18, 2020, 10:13am

Please read the whole topic.

jpgpi250 · June 18, 2020, 10:21am

my bad, it is indeed what I had in mind, apologies for waiting your time

system · July 9, 2020, 10:21am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.