From owner-freebsd-questions@freebsd.org Sun Aug 20 12:02:39 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 11FF1DCD497 for ; Sun, 20 Aug 2017 12:02:39 +0000 (UTC) (envelope-from shamim.shahriar@gmail.com) Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9CBF0A2D for ; Sun, 20 Aug 2017 12:02:38 +0000 (UTC) (envelope-from shamim.shahriar@gmail.com) Received: by mail-wr0-x22e.google.com with SMTP id p14so8052684wrg.1 for ; Sun, 20 Aug 2017 05:02:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=yROmy0aw/lbCmpCn8D3AtbO+yV053dmluzAD9v1N0lE=; b=dV/cDsyh0n2p0DUJWqgtk2Ej9Pr89JWV3AWKBL8woM7WoMk0qvFd22tK4sckq6zaUG u+LOLwFz/lhEODHV5/q/Q5UM2//K0FXzWI6Zc/xpWvwRsoPmxpzqAJK5o+0WIE9Qr5ew g45SM3O60pe95va/8zv6j7Knko57RDYUzTgx+a96hcvUOvrFAUqOeYMlvOi8bPiGvPSe tc8XjWqOC73ENGbRYkZ2H4+KFNRmo7Z7cw+zigvZIIPJd7nIYmhBS74J1a9C7XvSG6fh Ij3h8hXDuAezY/0h4nnzo+ZytSrlJiLdYil+Gugon2kh0oeA9n/2rYe6CegK+e7t2UXM 2CjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=yROmy0aw/lbCmpCn8D3AtbO+yV053dmluzAD9v1N0lE=; b=KkeEDYTVymR3HXZbh4HfwiWBBgiot46Pok+YZ3wfQT7VCqEMO3xlwEAyZRfMgazzzt NykIidYPh09MDlEa+GvB/cOo/DKOzRdPt4QxsS7QW+Cs2a6CPfoBaa8YIWtuiM3skh5n VfmodnhPMU/VIZm+GTt4MqO/UFRBa6tULnOdHKJTejdnyy/cABM0yagErvuubbcsY5bg lGgvea+MYzfVP1P7mfmv11n9IrQK2aj16KmI5vy6l4DlJn4I2yJtTxh2aB4J7UNKlQGJ E8NLPLC3QDAJHqnaQIvU469Quf/HGdwjbRaiS6lmxnw0dZu3ZE1pSfUWoIZ8k8pVSlxw +VJw== X-Gm-Message-State: AHYfb5he7abvtLmIO4vBcWxMfmO04oPC+pTDbrHozhTZoSwc+cLxbW+z b96ozARscobQ77Pg X-Received: by 10.28.22.143 with SMTP id 137mr4638003wmw.68.1503230556745; Sun, 20 Aug 2017 05:02:36 -0700 (PDT) Received: from osk.homenet ([2001:470:196e:17:f2de:f1ff:fed1:783c]) by smtp.googlemail.com with ESMTPSA id d10sm4857332wmh.4.2017.08.20.05.02.35 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 Aug 2017 05:02:35 -0700 (PDT) Subject: Re: How to block facebook access To: freebsd-questions@freebsd.org References: <59988180.7020301@gmail.com> <5998A270.9070907@gmail.com> <20170819225659.56c11983.freebsd@edvax.de> <599972E0.8080203@gmail.com> <20170820134409.825ed388.freebsd@edvax.de> From: Shamim Shahriar Message-ID: <4e86d0a7-fe65-f710-2176-3f80d7cd5b26@gmail.com> Date: Sun, 20 Aug 2017 13:02:35 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <20170820134409.825ed388.freebsd@edvax.de> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2017 12:02:39 -0000 On 20/08/2017 12:44, Polytropon wrote: > On Sun, 20 Aug 2017 07:30:40 -0400, Ernie Luzar wrote: >> Polytropon wrote: >>> On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote: >>>>> On 8/19/2017 2:20 PM, Ernie Luzar wrote: >>>>>> Hello list; >>>>>> >>>>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users >>>>>> are using their work PC's to access facebook during work. >>>>>> >>>>>> What method would recommend to block all facebook access? >>>>>> >>>> > Littlefield, Tyler wrote: >>>> > make your proxy just blacklist facebook.com and m.facebook.com? >>>> > Blocking it will just let them view it on their phones though, so >>>> > you're looking at a different issue altogether. >>>> >>>> Already blocking 15 facebook login ip address which can be added to or >>>> changes by FB anytime. >>> Yes, that is one of the core problems: You do not have control >>> over Facebook's network configuration. :-) >>> >>> On the IP level, you can maintain a list of IPs to block. And >>> you could use resolver modification to do this for you, for >>> example when the IP for a certain Facebook service or page >>> changes, using the resolver its new IP will be added to the >>> block list. With this approach, you can block using both >>> numeric IPs and domain name strings (which of course resolve >>> to IPs, too). >>> >>> Maybe it would be a lot easier if you could just switch to >>> whitelisting - define the IPs _allowed_ for the users. This >>> will surely introduce new problems like "I cannot access a >>> web site which I need for work, please verify and whitelist", >>> which is something you cannot fully automate. >>> >> I am unfamiliar with the "resolver modification" you speak of. >> Is this a function in ipfilter firewall? >> Where and how is this done? > It's a term I probably invented because I don't know the correct > name - if it even has a specific name. :-) > > The idea is that IPs assigned to hosts may change, something you > mentioned as a fully valid problem. Example: If you want to block > login.example.com with the IP 123.456.789.100, you add that > to your list - done. Now example.com changes it to 123.456.789.101, > and in case you didn't block a full IP range (123.456.789.*), > login.example.com can be reached again. So if you have a list > of host names that you want to prohibit access to, put them into > a list and let your resolver check them from time to time, for > example using tools like dig, drill, or host, with a little > postprocessing. If a new IP appears, just add it to the block > list. In this example, 123.456.789.101 would be added, and > login.example.com cannot be reached anymore. This approach is > also helpful if example.com acquires a totally new IP range, > for example now login.example.com becomes 123.987.258.654... ;-) > > Maybe the following resources will provide a good entry point: > > https://www.lifewire.com/what-is-the-ip-address-of-facebook-818152 > > https://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook > > > > Even then there are ways of mitigating those -- for example, using some kind of ToR browser or most simply using google services. The only "slightly more effective" option I have come across so far is using squidguard or similar product, and forcing users to use squid (even with and specially for SSL connections) -- it involves installing your own CA to ALL the client machines, otherwise they will keep on getting error messages for all SSL sites. With squidguard you can also use regex or part of the URL and even that will be blocked, and you can redirect users to a notice page saying "this is forbidden from your work computer, your activity is being logged" :P Hope this helps. Regards