From owner-freebsd-questions@freebsd.org Sun Aug 20 11:44:21 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08006DCBE35 for ; Sun, 20 Aug 2017 11:44:21 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mailrelay10.qsc.de (mailrelay10.qsc.de [212.99.163.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.antispameurope.com", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 826B983992 for ; Sun, 20 Aug 2017 11:44:20 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de ([213.148.129.14]) by mailrelay10.qsc.de; Sun, 20 Aug 2017 13:44:12 +0200 Received: from r56.edvax.de (port-92-195-91-117.dynamic.qsc.de [92.195.91.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 66D903C77D; Sun, 20 Aug 2017 13:44:09 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id v7KBi9P7002163; Sun, 20 Aug 2017 13:44:09 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Sun, 20 Aug 2017 13:44:09 +0200 From: Polytropon To: Ernie Luzar Cc: "freebsd-questions@freebsd.org" Subject: Re: How to block facebook access Message-Id: <20170820134409.825ed388.freebsd@edvax.de> In-Reply-To: <599972E0.8080203@gmail.com> References: <59988180.7020301@gmail.com> <5998A270.9070907@gmail.com> <20170819225659.56c11983.freebsd@edvax.de> <599972E0.8080203@gmail.com> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-cloud-security-sender: freebsd@edvax.de X-cloud-security-recipient: freebsd-questions@freebsd.org X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mailrelay10.qsc.de with AEFA5683445 X-cloud-security-connect: mx01.qsc.de[213.148.129.14], TLS=1, IP=213.148.129.14 X-cloud-security: scantime:.1369 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2017 11:44:21 -0000 On Sun, 20 Aug 2017 07:30:40 -0400, Ernie Luzar wrote: > Polytropon wrote: > > On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote: > >>> On 8/19/2017 2:20 PM, Ernie Luzar wrote: > >>>> Hello list; > >>>> > >>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users > >>>> are using their work PC's to access facebook during work. > >>>> > >>>> What method would recommend to block all facebook access? > >>>> > >> > Littlefield, Tyler wrote: > >> > make your proxy just blacklist facebook.com and m.facebook.com? > >> > Blocking it will just let them view it on their phones though, so > >> > you're looking at a different issue altogether. > >> > >> Already blocking 15 facebook login ip address which can be added to or > >> changes by FB anytime. > > > > Yes, that is one of the core problems: You do not have control > > over Facebook's network configuration. :-) > > > > On the IP level, you can maintain a list of IPs to block. And > > you could use resolver modification to do this for you, for > > example when the IP for a certain Facebook service or page > > changes, using the resolver its new IP will be added to the > > block list. With this approach, you can block using both > > numeric IPs and domain name strings (which of course resolve > > to IPs, too). > > > > Maybe it would be a lot easier if you could just switch to > > whitelisting - define the IPs _allowed_ for the users. This > > will surely introduce new problems like "I cannot access a > > web site which I need for work, please verify and whitelist", > > which is something you cannot fully automate. > > > > I am unfamiliar with the "resolver modification" you speak of. > Is this a function in ipfilter firewall? > Where and how is this done? It's a term I probably invented because I don't know the correct name - if it even has a specific name. :-) The idea is that IPs assigned to hosts may change, something you mentioned as a fully valid problem. Example: If you want to block login.example.com with the IP 123.456.789.100, you add that to your list - done. Now example.com changes it to 123.456.789.101, and in case you didn't block a full IP range (123.456.789.*), login.example.com can be reached again. So if you have a list of host names that you want to prohibit access to, put them into a list and let your resolver check them from time to time, for example using tools like dig, drill, or host, with a little postprocessing. If a new IP appears, just add it to the block list. In this example, 123.456.789.101 would be added, and login.example.com cannot be reached anymore. This approach is also helpful if example.com acquires a totally new IP range, for example now login.example.com becomes 123.987.258.654... ;-) Maybe the following resources will provide a good entry point: https://www.lifewire.com/what-is-the-ip-address-of-facebook-818152 https://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...