From owner-freebsd-questions@freebsd.org Tue Aug 22 22:58:17 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B9E6DEA4BC for ; Tue, 22 Aug 2017 22:58:17 +0000 (UTC) (envelope-from frank@woodcruft.co.uk) Received: from b-painless.mh.aa.net.uk (b-painless.mh.aa.net.uk [81.187.30.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 419707CD50 for ; Tue, 22 Aug 2017 22:58:16 +0000 (UTC) (envelope-from frank@woodcruft.co.uk) Received: from woodcruft.co.uk ([81.187.27.248] helo=lime.woodcruft.co.uk) by b-painless.mh.aa.net.uk with esmtp (Exim 4.84_2) (envelope-from ) id 1dkI7h-0003YQ-Sw; Tue, 22 Aug 2017 23:58:13 +0100 Received: by lime.woodcruft.co.uk (Postfix, from userid 1001) id 711CC7CF9C; Tue, 22 Aug 2017 23:58:07 +0100 (BST) Date: Tue, 22 Aug 2017 23:58:07 +0100 From: Frank Shute To: Ernie Luzar Cc: "freebsd-questions@freebsd.org" Subject: Re: How to block facebook access Message-ID: <20170822225807.GA97221@woodcruft.co.uk> Reply-To: Frank Shute Mail-Followup-To: Ernie Luzar , "freebsd-questions@freebsd.org" References: <59988180.7020301@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Qxx1br4bt0+wmkIi" Content-Disposition: inline In-Reply-To: <59988180.7020301@gmail.com> X-Face: *}~{PHnDTzvXPe'wl_-f%!@+r5; VLhb':*DsX%wEOPg\fDrXWQJf|2\,92"DdS%63t*BHDyQ|OWo@Gfjcd72eaN!4%NE{0]p)ihQ1MyFNtWL X-Operating-System: FreeBSD 11.1-RC1 amd64 X-Organisation: 'woodcruft.co.uk' User-Agent: Mutt/1.8.3 (2017-05-23) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 22:58:17 -0000 --Qxx1br4bt0+wmkIi Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Aug 19, 2017 at 02:20:48PM -0400, Ernie Luzar wrote: > > Hello list; >=20 > Running 11.1 & ipfilter with LAN behind the gateway server. LAN users=20 > are using their work PC's to access facebook during work. >=20 > What method would recommend to block all facebook access? >=20 =20 Hi Ernie, My recommendation would be to set up unbound(8) on your 11.1 machine (or setup another) and configure everything on the LAN to use it for name service. You can then shove some local records in unbound.conf(5), such as: local-zone: "facebook.com" refuse local-zone: "doubleclick.net" refuse =2E.. etc. If you then do a lookup from the LAN: $ host facebook.com Host facebook.com not found: 5(REFUSED) Firefox and Chrome seem to handle that gracefully. To stop any muppets who decide to use alternative name service ie. Google, OpenDNS etc. Configure ipfilter to drop any outgoing to 53 except from your unbound machine. Of course, other benefits are:=20 1). You can cutdown on all sorts of additional superfluous traffic which improves all sorts of things: contention, less bandwidth & quota needed etc. 2). Lookups are a lot quicker if they're cached on the LAN; which your users will appreciate. This all somewhat depends on how computer savvy your users are and how locked down their PCs are. If they know what they're doing then they will find away around it and nothing short of nuking all of Facebook's DCs will stop it. Now there's an idea.... Regards, --=20 Frank --Qxx1br4bt0+wmkIi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXRpQZWMUMC1nxphkORvOAPtvi1oFAlmctvsACgkQORvOAPtv i1rRaw/7BEEmBeGqbEEJ0BvrSkctnffD2lJ6ZIBaHBp/owGDFvnj9+FO077rUDl5 oodODgyHETVMkVS/Zu1dpkZip8rDQNsd8Idl77WKjqwqa7bJTWfZv9A67rEkaMyL FYBIVk/FJjvOQVbK5eTlWQkLI4DmDWuXVPPCvDWWle8Gp7+J+RZj2bfn6J16sH6t Z80uInCQCDIWlFWPcAR/XwSaPkyrd+LinJMEu+Acx/qBtIFtQu72tSnBv+KXOyMn ZsWu0vLYKwQIoIcCjx0YA6Z6njRB0LvH7ZjwRUO7/qVfWKYg7cE0xsjRWV/HW1Zb AyQl9w8cVYDaGR5xKSKtNGFIABAVa2Wxslobbau6jVTmvsT9EutkaAnB2SSI0YmC SO4DEM5wns3YXXvuJyBe2EpEqZrdLHO3sPedw1nnXOMxZI5cu0zYNrFpFZZm7Zz/ kLpRDWxqPsW0qOuSwQDr/mwYHvCqa7cu7VA8EQlZG7ZMi9V8WaL5+Ao18f9d+0cV JWWkweB0+BSEfHjXdIhOlZ7LtF9p35EORj/xJYXqZLVIWxwgaId2+CCi1jC4onwU 6wO0MZ1S3NaeULPCcJGUwHUlr0joTEqta7ufgCEkxiK2SOr6wzW8Y3+0ESpEbzXf js/vvsVjodxL5s0/3JYOFhQzLd/1G8utOGqwPZH2QAcz8lDbJq8= =b/Uf -----END PGP SIGNATURE----- --Qxx1br4bt0+wmkIi--