From owner-freebsd-pf@FreeBSD.ORG Fri Aug 3 08:54:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87A0E16A41B for ; Fri, 3 Aug 2007 08:54:23 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id 46BEE13C46E for ; Fri, 3 Aug 2007 08:54:23 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id 4EECB1AB2DB; Fri, 3 Aug 2007 10:54:22 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id 0A5FA1AB2EA; Fri, 3 Aug 2007 10:54:21 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id 7E0371CC40; Fri, 3 Aug 2007 10:54:21 +0200 (CEST) In-Reply-To: <4a33a74a0708030131p7024453ekcd73f4d55972a0bd@mail.gmail.com> References: <20070803073610.GA39968@quartzo.cirp.usp.br> <4a33a74a0708030131p7024453ekcd73f4d55972a0bd@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <69794025-47B6-4DC5-891D-E0A8454CD69C@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Fri, 3 Aug 2007 10:54:20 +0200 To: "Fai Cheng" X-Mailer: Apple Mail (2.752.2) Cc: freebsd-pf@freebsd.org Subject: Re: Block WWW.ORKUT.COM X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 08:54:23 -0000 On 03 ao=FBt 2007, at 10:31, Fai Cheng wrote: > I don't think this is impossible. depends on how you could =20 > configure the > firewall. If you can block all traffics but allow those only you =20 > need. (e.g. > to your partner site only, deny all outgoing traffic) this is a good solution (technically speaking), but unless your =20 working in a very tight security environment, you might prefer =20 education over extensive blocking. > Modify the DNS / hosts files is a trick way but its work. as long as the user won't put is own hosts file on his system. > but you have to > know what is behind the host. e.g. they can use orkut.l.google.com =20 > instead > of www.orkut.com. So the white list approach is easier to handle. =20 > (If you > can) sure. > Of course different proxy (e.g. running proxy in 80 or 443 port) is =20= > hard to > block, this case you need to monitor the traffic and see any ppl go to > specific host with large amount of traffic. So you may notice the =20 > problems. not hard, just impossible (in a blacklist context), because there is =20 no way you can know every proxy/anonymizer. It's exactly the same a =20 fighting spam. You block something, the spammer will find his way in =20 again, you block it again, etc. patpro