Date: Mon, 2 May 2011 11:09:49 -0400 From: Kevin Wilcox <kevin.wilcox@gmail.com> To: Zhu Sha Zang <zhushazang@yahoo.com.br> Cc: freebsd-pf@freebsd.org Subject: Re: blocking facebook Message-ID: <BANLkTi=fSojVudDRKR=7rLdo9%2BTfsQkwUw@mail.gmail.com> In-Reply-To: <4DBEC293.1010607@yahoo.com.br> References: <4DBEC293.1010607@yahoo.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 2, 2011 at 10:41, Zhu Sha Zang <zhushazang@yahoo.com.br> wrote: > I'm trying to block facebook access only using PF in FreeBSD 8.2. > > But putting the name or the ip returned with the command host > www.facebook.com i can't deny any user to connect facebook. > > Some trick to do that? > > Thanks for now. Short version: you can't block via domain in pf. Long version: when pf starts, it reads its config file. If you have a domain name listed, and you can't reach your DNS server because DHCP or other networking scripts aren't loaded, it can't resolve the domain. If it CAN resolve the domain, it will use the IP address it received from a DNS lookup. For domains backed by a single IP, no problem. For domains that span multiple IPs, and multiple networks, that's a pretty big problem. Additionally, pf does NOT do deep packet inspection. It's extremely taxing and it's not what pf was designed to do. If you want to block facebook I would suggest a multi-faceted approach (though it's not foolproof, it just keeps MOST people from going there). 1) Control DNS. You can have lookups for *.facebook.com (and associated CDN addresses) go to whatever. 2) Control the browser - if you can blacklist *.facebook.com (and associated CDN addresses) you can limit a lot of it. 3) Force your users through squid or another web proxy. This is probably the best method as you can think block anything going to a facebook.com address, or with certain strings in the URL, by redirecting them to a page saying, "I'm sorry, that is not allowed on this network." This scales remarkably well on commodity hardware up to several thousand users assuming you aren't doing 10Gb. Good luck. kmw
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTi=fSojVudDRKR=7rLdo9%2BTfsQkwUw>