From owner-freebsd-questions@freebsd.org Fri Aug 25 18:16:46 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD218DDE2B9 for ; Fri, 25 Aug 2017 18:16:46 +0000 (UTC) (envelope-from frank@woodcruft.co.uk) Received: from a-painless.mh.aa.net.uk (a-painless.mh.aa.net.uk [81.187.30.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 93A1B6A8B8 for ; Fri, 25 Aug 2017 18:16:46 +0000 (UTC) (envelope-from frank@woodcruft.co.uk) Received: from woodcruft.co.uk ([81.187.27.248] helo=lime.woodcruft.co.uk) by a-painless.mh.aa.net.uk with esmtp (Exim 4.84_2) (envelope-from ) id 1dlJ9v-00061u-AY; Fri, 25 Aug 2017 19:16:43 +0100 Received: by lime.woodcruft.co.uk (Postfix, from userid 1001) id E2679624F4; Fri, 25 Aug 2017 19:16:35 +0100 (BST) Date: Fri, 25 Aug 2017 19:16:35 +0100 From: Frank Shute To: Ernie Luzar , "freebsd-questions@freebsd.org" Subject: Re: How to block facebook access Message-ID: <20170825181635.GA39216@woodcruft.co.uk> Reply-To: Frank Shute Mail-Followup-To: Ernie Luzar , "freebsd-questions@freebsd.org" References: <59988180.7020301@gmail.com> <20170822225807.GA97221@woodcruft.co.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline In-Reply-To: <20170822225807.GA97221@woodcruft.co.uk> X-Face: *}~{PHnDTzvXPe'wl_-f%!@+r5; VLhb':*DsX%wEOPg\fDrXWQJf|2\,92"DdS%63t*BHDyQ|OWo@Gfjcd72eaN!4%NE{0]p)ihQ1MyFNtWL X-Operating-System: FreeBSD 11.1-RELEASE-p1 amd64 X-Organisation: 'woodcruft.co.uk' X-PGP-Key: http://woodcruft.co.uk/misc/pubkey.asc User-Agent: Mutt/1.8.3 (2017-05-23) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2017 18:16:46 -0000 --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 22, 2017 at 11:58:07PM +0100, Frank Shute wrote: > > On Sat, Aug 19, 2017 at 02:20:48PM -0400, Ernie Luzar wrote: > > > > Hello list; > >=20 > > Running 11.1 & ipfilter with LAN behind the gateway server. LAN users= =20 > > are using their work PC's to access facebook during work. > >=20 > > What method would recommend to block all facebook access? > >=20 > =20 > Hi Ernie, >=20 >=20 > My recommendation would be to set up unbound(8) on your 11.1 machine (or > setup another) and configure everything on the LAN to use it for name > service. >=20 > You can then shove some local records in unbound.conf(5), such as: >=20 > local-zone: "facebook.com" refuse > local-zone: "doubleclick.net" refuse > ... > etc. >=20 > If you then do a lookup from the LAN: >=20 > $ host facebook.com > Host facebook.com not found: 5(REFUSED) >=20 > Firefox and Chrome seem to handle that gracefully. >=20 > To stop any muppets who decide to use alternative name service ie. Google, > OpenDNS etc. Configure ipfilter to drop any outgoing to 53 except from > your unbound machine. >=20 > Of course, other benefits are:=20 >=20 > 1). You can cutdown on all sorts of additional superfluous traffic which > improves all sorts of things: contention, less bandwidth & quota needed > etc. >=20 > 2). Lookups are a lot quicker if they're cached on the LAN; which your > users will appreciate. >=20 > This all somewhat depends on how computer savvy your users are and how > locked down their PCs are. >=20 > If they know what they're doing then they will find away around it and > nothing short of nuking all of Facebook's DCs will stop it. Now there's > an idea.... Not long after I wrote the above, I came across: dns/void-zones-tools on Freshports. It s/refuse/static/ and pulls in ~50,000 domains which are associated with evil into unbound.conf. Read the blurb for it: https://github.com/cyclaero/void-zones-tools It takes it's data from half a dozen maintained lists and converts them into the format unbound understands. You can also whitelist/blacklist other domains/IPs. I've only been running it for a couple of days with Adblock Plus turned off and it seems to work fine. Definitely a win if you maintain a LAN/VLANs with Windows clients, especially Windows 10, as one of the lists it sucks in lists where Windows 10 builtin spywar...telemetry goes to. My informants, who reside not a million miles from Redmond, tell me that MS are doing "significant work" on improving their "customer experience" of Windows 10 Telemetry. They're not changing the code in anyway but rebranding it to: "Visual Studio Telemetry .Net Agile" You read it here first. I can't tell you how proud it made me as a Brit to hear that nugget of news. My tax pounds at work I thought, employing clueless and incompetent Americans in a tax dodging American company's margeting department. Life surely does not get a lot sweeter.... But then I remembered, we've got a Microsoftie on core@ and some others slaving away in the code mines of Redmond with commit bits to src. Yes! I was wrong, life does get even sweeter! Regards, --=20 Frank --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXRpQZWMUMC1nxphkORvOAPtvi1oFAlmgaXMACgkQORvOAPtv i1rllBAAphnVNYIxvjhBVuo2ikERuQ+LowkzAcE6+txM+glvRM8JamBX1uUxGKFU wMcAw64IjAti/dDZtyz7ZWNCMy//Z0yESWEMGO+n5dExEjSUMGZ0gxY5rz1Y3bgA ScTnT3l32r/zA4tNfL7F/L1uECUzuouGtUcl4ekhQILpCSQmyfMAviZ76uzIgoK6 r9I/95Of0UIAyLvFNTdxxs5MUu7ze6j/jvkVFpv8uWVWm1lC22wxjj4Z9nMqxdaI 4qpOGr/N4BTryOK9uGg4uf6KbNYkrqgOiTNKkafA8DjTwWAMkhKuDdGgPhJZ2sdb X1hO65RUScNmqPw2CCINz/FAky2sN3ZA8j3oqmQwPjdCzdVyFfKyAvdhFU9uCvgC CPNr3fjvxB5PZ3LnhZTgGy0EB+fmEySWTW22cC2DT6IyJKHS7E7okmZOjoKG7WmA w4PhiGXqIH+6DFTbRMvnxZnNjdt4Je0HB7jECK8RVeX6yjRWZGIMTy3ee5llH+Di Wa6LByJL6TYn1wwr39g3StnM+M2S0S667Tv0kUvdnQMzsoKVdd55unPL73tvl4op FS7YoyHS2zLBBfQ4yZ4V4EAhKSPE8QvmGuONXh3md0sgHsoq3cWJ2yJ422Yz/6IB lbZPC+YB077PgpEgy1nwrKumftIvYqLrcvfbEjGCSvqnKHEheMA= =18g8 -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY--