Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Aug 2017 13:44:09 +0200
From:      Polytropon <freebsd@edvax.de>
To:        Ernie Luzar <luzar722@gmail.com>
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: How to block facebook access
Message-ID:  <20170820134409.825ed388.freebsd@edvax.de>
In-Reply-To: <599972E0.8080203@gmail.com>
References:  <59988180.7020301@gmail.com> <c651aba9-8e5b-b193-1808-cef5b900cf27@tysdomain.com> <5998A270.9070907@gmail.com> <20170819225659.56c11983.freebsd@edvax.de> <599972E0.8080203@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 20 Aug 2017 07:30:40 -0400, Ernie Luzar wrote:
> Polytropon wrote:
> > On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote:
> >>> On 8/19/2017 2:20 PM, Ernie Luzar wrote:
> >>>> Hello list;
> >>>>
> >>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users 
> >>>> are using their work PC's to access facebook during work.
> >>>>
> >>>> What method would recommend to block all facebook access?
> >>>>
> >>  > Littlefield, Tyler wrote:
> >>  > make your proxy just blacklist facebook.com and m.facebook.com?
> >>  > Blocking it will just let them view it on their phones though, so
> >>  > you're looking at a different issue altogether.
> >>
> >> Already blocking 15 facebook login ip address which can be added to or 
> >> changes by FB anytime.
> > 
> > Yes, that is one of the core problems: You do not have control
> > over Facebook's network configuration. :-)
> > 
> > On the IP level, you can maintain a list of IPs to block. And
> > you could use resolver modification to do this for you, for
> > example when the IP for a certain Facebook service or page
> > changes, using the resolver its new IP will be added to the
> > block list. With this approach, you can block using both
> > numeric IPs and domain name strings (which of course resolve
> > to IPs, too).
> > 
> > Maybe it would be a lot easier if you could just switch to
> > whitelisting - define the IPs _allowed_ for the users. This
> > will surely introduce new problems like "I cannot access a
> > web site which I need for work, please verify and whitelist",
> > which is something you cannot fully automate.
> > 
> 
> I am unfamiliar with the "resolver modification" you speak of.
> Is this a function in ipfilter firewall?
> Where and how is this done?

It's a term I probably invented because I don't know the correct
name - if it even has a specific name. :-)

The idea is that IPs assigned to hosts may change, something you
mentioned as a fully valid problem. Example: If you want to block
login.example.com with the IP 123.456.789.100, you add that
to your list - done. Now example.com changes it to 123.456.789.101,
and in case you didn't block a full IP range (123.456.789.*),
login.example.com can be reached again. So if you have a list
of host names that you want to prohibit access to, put them into
a list and let your resolver check them from time to time, for
example using tools like dig, drill, or host, with a little
postprocessing. If a new IP appears, just add it to the block
list. In this example, 123.456.789.101 would be added, and
login.example.com cannot be reached anymore. This approach is
also helpful if example.com acquires a totally new IP range,
for example now login.example.com becomes 123.987.258.654... ;-)

Maybe the following resources will provide a good entry point:

https://www.lifewire.com/what-is-the-ip-address-of-facebook-818152

https://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook




-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170820134409.825ed388.freebsd>