How to deny all hosts and allow selected ones only?

[emanruse]

Hi,

I am looking for a way to use uBO in a "firewall" way with default drop policy, allowing only explicitly whitelisted hosts (of course, I understand that there is no lower OSI layer blocking, just illustrating the idea).

I already have:

no-csp-reports: * true
no-large-media: * true
no-remote-fonts: * true
no-scripting: * true
* * * block
* * 1p-script block
* * 3p block
* * 3p-frame block
* * 3p-script block
* * image block
* * inline-script block
behind-the-scene * * block

but that doesn't seem sufficient.

I tried using $document as a static rule but I am not sure if that is how I should approach it.

So, what is the correct way to do this?

[stephenhawk8054]

Dynamic rules cannot block source document. You need to use static filter like

*$doc,domain=~example.com|~example2.com

So everytime you want exclude a domain, you need to do in both static filters and dynamic rules panels.

* * * block
example.com * * noop
example2.com * * noop

[emanruse]

Thanks! The static rule per se seems to do it. Why do I need to add to the dymanic rules too? Another thing: Is it possible (better/worse?) to do all this using a regex static rule like: /^http(s)?://.*/,domain=example.com thus blocking not only the main document but everything? I tried that but uBO seems to dislike the "(s)" part (i.e. I need to use separate rules for http and https) and the domain= part doesn't seem to have any effect.

[stephenhawk8054]

Why do I need to add to the dymanic rules too?

Because you are blocking everything in dynamic rules too? This is from your configuration above

* * * block

If you don't noop the domain in dynamic rules, only the site document is loaded and everything else is still blocked.

I would suggest you read the document carefully to understand how dynamic rules work first, or else you will break the websites easily.

---

blocking not only the main document but everything

*$all

[emanruse]

Understood. Thank you!